Whois API Blog http://www.fengnu.net.cn/blog Wed, 11 Sep 2019 16:13:50 +0000 en-US hourly 1 http://wordpress.org/?v=3.5.1 The Best Ways to Get a User’s Location in JavaScript http://www.fengnu.net.cn/blog/the-best-ways-to-get-a-users-location-in-javascript/ http://www.fengnu.net.cn/blog/the-best-ways-to-get-a-users-location-in-javascript/#comments Wed, 11 Sep 2019 16:13:50 +0000 admin http://www.fengnu.net.cn/blog/?p=2247 Geolocating your website’s users can be useful for a wide variety of purposes. For example, you may want to show a different version of your website to users in different localities. You may be trying to better understand where your … Continue reading ]]>

Geolocating your website’s users can be useful for a wide variety of purposes. For example, you may want to show a different version of your website to users in different localities. You may be trying to better understand where your users live so you can tailor your website to better suit their needs. Or, maybe your website can only function in certain areas.


Whatever your reasons, geolocating your users and knowing where they’re coming from can be useful.


There are a few different ways to geolocate users by using JavaScript. Each method has its own tradeoffs. I’m going to cover all the different ways in which you can geolocate users by using JavaScript below.


The methods below are ranked from best to worst (factoring in accuracy, convenience, and complexity). This will hopefully help you decide which approach to take according to your requirements.


The Most Accurate Way to Locate Your Users: Ask!


The most accurate way to figure out where your users are located is to… ask them! As I was doing my research for this article, I was surprised that I hadn’t seen anyone else mention this.

The Most Accurate Way to Locate Your Users: Ask!

As you’re going to learn in a few minutes, locating a user isn’t always straightforward, and no matter what method you choose, accuracy isn’t guaranteed. Having said that, there certainly isn’t a more accurate way to find the location of your users than to just ask them.


If your goal is to figure out precisely where someone lives, why not just throw together a simple web form that prompts the user for their physical address? Tons of sites do this and users are more than willing to give their address to you if necessary.


In particular, if you’re building any sort of shopping or e-commerce-type website, getting a user’s address is a standard part of the flow. If you’re building any sort of social media-type application, some amount of location data is typically requested (think Facebook, Twitter, etc.).


On the other hand, if you’re building the type of website that users wouldn’t expect you to need their address for, this approach obviously won’t work, and could potentially be detrimental (you’ll run the risk of giving your users the creeps).


Find Your User’s Location in JavaScript Using an API


If it doesn’t make sense for you to ask your users where they live, the next most accurate way to locate your website’s users is by using an API service (like geoipify). Services like geoipify are called “IP geolocation services” because they allow you to take a user’s IP address and map it back to an actual physical location.


The way IP geolocation services work is by aggregating IP address data from many different sources including:


  • Information from internet service providers who provide information like GPS coordinates and addresses of IP addresses they assign. For example, when you signed up for internet service at your house, your ISP gave you a public IP address at your home. Your ISP may then record that data and share it out with third parties.
  • Data mining. If you’ve ever voluntarily given your address to a website, that website may have shared that information with other third parties so that they can map your IP address back to your physical address.
  • Merging databases from various providers. There are several large IP geolocation providers. By merging these databases together, you can improve the coverage of IP geolocation data.
  • Latency-based geolocation techniques. Because talking to devices over the public internet requires routing between many different devices across the world, there are various techniques that can be used to geolocate an IP address by analyzing the time it takes to communicate with a device in a known location.


As you can probably tell from the above description, it isn’t easy to access IP address geolocation data on your own, so using a service to pragmatically query this information is your only real choice.


One of the benefits to using an IP geolocation service like geoipify is that it won’t detract from your user experience at all. You don’t need to ask the user for their address, prompt them for permissions, or anything like that. All you need to do is take the user’s public IP address (which you can easily retrieve by using your programming language of choice) and run it through an IP geolocation service to figure out where that user is located.


The downside to using an IP geolocation service is that users can manipulate their IP address by using tools like VPN services and IP address spoofing. If a user is able to manipulate their IP address so that your website thinks the user has a different IP address than they actually do, you’re obviously going to be getting incorrect location information when you later geocode the user’s IP address.


All that said, this method is still extremely accurate in most circumstances. And the odds are, if a user is purposefully manipulating their IP address, they are unlikely to want you to know their location regardless.


If you want to use geoipify to find the location of your website’s users, you can sign up and use the service for free here.


Here’s how you can easily find the location of a user through their IP address by using the simple-geoip JavaScript library. Here’s a full example application showing how it works:


const GeoIP = require("simple-geoip");

let geoIP = new GeoIP("your geoipify api key goes here");

geoIP.lookup("", (err, data) => {
  if (err) throw err;


If you were to run the program above, you would get back the following location data for the user with IP address `` (NOTE: `` is a special address owned by Google).


  ip: '',
  location: {
    country: 'US',
    region: 'California',
    city: 'Mountain View',
    lat: 37.40599,
    lng: -122.078514,
    postalCode: '94043',
    timezone: '-07:00',
    geonameId: 5375481
  domains: [ '0--9.ru', '000180.top', '0002.by', '00027.hk', '00049ok.com' ],
  as: {
    asn: 15169,
    name: 'Google LLC',
    route: '',
    domain: 'https://about.google/intl/en/',
    type: 'Content'
  isp: 'Google'


Not bad, huh? With just a few lines of code, you can get a ton of useful location information about a user.


Use the Browser Geolocation API


The last (and my least favorite) method for finding out where a user is located is to use the built-in Geolocation API that most browsers now support.

Use the Browser Geolocation API

Essentially, this API allows you to prompt the user for their location information. If the user “allows” you to access their location data, then you can use the Geolocation API to get the GPS coordinates of the user (latitude and longitude).


Unfortunately, depending on the device the user possesses, getting accurate location data may take a while.

Here’s a small web application that displays your GPS coordinates by using the Geolocation API in your browser (courtesy of Mozilla).


### HTML Page


<button id = "find-me">Show my location</button><br/>
<p id = "status"></p>
<a id = "map-link" target="_blank"></a>


### JavaScript


function geoFindMe() {

  const status = document.querySelector('#status');
  const mapLink = document.querySelector('#map-link');

  mapLink.href = '';
  mapLink.textContent = '';

  function success(position) {
    const latitude  = position.coords.latitude;
    const longitude = position.coords.longitude;

    status.textContent = '';
    mapLink.href = `https://www.openstreetmap.org/#map=18/${latitude}/${longitude}`;
    mapLink.textContent = `Latitude: ${latitude} °, Longitude: ${longitude} °`;

  function error() {
    status.textContent = 'Unable to retrieve your location';

  if (!navigator.geolocation) {
    status.textContent = 'Geolocation is not supported by your browser';
  } else {
    status.textContent = 'Locating…';
    navigator.geolocation.getCurrentPosition(success, error);


document.querySelector('#find-me').addEventListener('click', geoFindMe);


There are a few problems I see with the Geolocation API:


  • It requires the user to accept location permissions. This stands a chance of freaking your users out and driving them away from your website. Depending on the type of application you’re building, this could cause a substantial user experience issue.
  • Users can reject your location request. If a user chooses to reject your location request, you obviously won’t be getting any data. Using an IP geolocation service allows you to always retrieve location information, even without a user’s explicit consent.
  • You only get GPS coordinates. While getting GPS coordinates can be useful if you are later able to translate them to a physical address, this will require the help of an external API service (like Google’s geocoding API), which means you will still need to rely on a third party to help you make sense of the data you’re getting.


If your use case is simple, however, using the built-in browser Geolocation API might be something to look into.


Summary: The Best Ways to Get a User’s Location


If you need to get a user’s location information, you really only have a few choices:



While each method has its own drawbacks and benefits, my personal favorite method is to silently locate a user from their IP address by using a geolocation service. My reasoning is simple: it’s the only method that doesn’t require impacting the user experience of your website, and geolocation services allow you to get fairly accurate location data without much ado.


Hope you found this useful!

http://www.fengnu.net.cn/blog/the-best-ways-to-get-a-users-location-in-javascript/feed/ 0
Enriching Domain Protection Through Historic and Reverse WHOIS Data Monitoring http://www.fengnu.net.cn/blog/enriching-domain-protection-through-historic-and-reverse-whois-data-monitoring/ http://www.fengnu.net.cn/blog/enriching-domain-protection-through-historic-and-reverse-whois-data-monitoring/#comments Wed, 11 Sep 2019 08:36:47 +0000 admin http://www.fengnu.net.cn/blog/?p=2233 The foundation of a domain’s existence on the Web is its credibility. It must be secured at all costs because it’s constantly under threat from malicious elements that are out there staging. As such, domain protection is an indispensable component … Continue reading ]]>

The foundation of a domain’s existence on the Web is its credibility. It must be secured at all costs because it’s constantly under threat from malicious elements that are out there staging. As such, domain protection is an indispensable component of overall cybersecurity efforts because not just business viability but a domain’s very own survival is at stake.


A company can protect its domain in different ways. For one, it can initiate its own in-house solution which would require substantial expertise and investment to put in place. Another option is to delegate the responsibility to experienced specialists dedicated to providing brand and digital protection services.


As part of their services, such companies track and analyze potentially dangerous domains that use the keywords associated with their clients’ organizations or brands. However, such a monitoring function requires unimpeded access to the available data on both recent and historic domain registrations. It may sound easy for some, but not all companies providing domain protection services have that capability. Let’s take a closer look.


Access to Huge Amounts of Data Is a Must


As domain protection teams are constantly on the lookout for existing and potential threats to their clients’ domains, they mostly rely on access to open-source domain data to monitor dangers promptly. This could be quite a challenge considering that there are now hundreds of millions of active domain names and billions of historical records to sift through.


For a team to avoid potential attacks and investigate existing issues, it must tap into huge amounts of domain data on gTLDs, ngTLDs, ccTLDs, etc. in order to ensure precise results. That data must also be well parsed and available in easily readable formats in order to minimize, if not eliminate, any additional workload on the client’s behalf.


Proprietary Tools for Data Enrichment


WhoisXML API has been in the cybersecurity sphere for more than a decade with a verifiable track record. Building on this, we now offer our clients a data enrichment service with our comprehensive domain protection solutions — which include WHOIS History API and Reverse WHOIS API proprietary monitoring tools.


Our WHOIS History API allows you to dig deep into a domain name’s past to discover any history of malicious activity. Virtually nothing can be hidden from our historic databases which contain more than 300 million active domains, one billion historic domain names, and over 5 billion historical WHOIS records, which have been compiled and constantly updated since 2008.


Reverse WHOIS API, on the other hand, permits you to search for domain records using specific terms — parsing through hundreds of millions of domain events of today and the days before. A query can be created with search terms such as name, email, phone number, address, etc. In turn, the API will generate a report of any other domains registered now or in the past and share your specified data point. This enables you to discover all the domains that are associated with your current investigation to reveal dangerous connections, potentially identifying evidence of malicious networks.


Both APIs can be used separately or, better still, complement each other to find out everything about an entity of interest. Combining them can uncover more details relevant to the keyword being looked into or the organization conducting the query.


Let’s take a look at the steps involved in such an investigation:


Step 1 — Tracking connections through Reverse WHOIS API

Tracking connections through Reverse WHOIS API

Request body sample


Tracking connections through Reverse WHOIS API

Sample output in JSON format


Reverse WHOIS lookup requires the input of a specific search term in the WHOIS database. As noted earlier, a query can be made using specific attributes such as name, email address, phone number, registration date, or any information detail that is usually included in a WHOIS record.


The term could be an exact match or a ‘fuzzy’ match such as inputting a common name, like Peter, or searching for email addresses that contain a particular term like ‘abc’. You can also filter your results to search only for records that correspond to a specific month or year.


Whatever term is used, the query will result in all the domain records — both current and historic — that correspond to the specific term inputted, well parsed and easily integrated into existing systems.


The result produced can be used to check if the keyword appears in WHOIS or registrant details of other domains and, therefore, can help verify if all the domains in the list are familiar to you or your client — registrant details are often spoofed by cybercriminals for phishing or other malicious purposes.


Step 2 — Searching the past through Historic WHOIS API


During step 2 the domain results that were obtained from the first step are run through the WHOIS History API which, in turn, can produce results that are available in PDF format.


At this stage, it is important to pay attention to certain details to determine if the domains being investigated are legitimate or not. For example, registration details must match the infrastructure of the domain being analyzed. Otherwise, it could point to malicious activity.


Importantly, for companies obtaining data for domain protection activities, using WHOIS History API is preferred over WHOIS API because the former can turn up data that may have already been updated in the current database. For example, historic WHOIS can track down domain owners from the time the domain was first registered even if the current details have already been concealed or changed, thus providing deeper actionable intelligence.


Best of Both Worlds


The two-step investigation involving WHOIS History and Reverse WHOIS APIs underscores the advantage of having access to all the available tools to allow cross-checking and data enrichment. The approach strengthens the delivery of domain protection services by cybersecurity companies.


Reverse WHOIS API can immediately dive into specific search terms to set the focus of the investigation as well as can be used separately to combat brand infringement. The data obtained can then be verified or corroborated using WHOIS History API, reaching records that may not be currently accessible but can hold the key to the immediate implementation of domain protection solutions.



Safeguarding a domain from threats requires huge amounts of data plus the tools needed to efficiently access, monitor, and analyze them in order to identify potential risks. Partnering with an experienced cybersecurity provider such as WhoisXML API can help ensure better and richer domain protection.

http://www.fengnu.net.cn/blog/enriching-domain-protection-through-historic-and-reverse-whois-data-monitoring/feed/ 0
Enable Active Phishing Protection With Domain Reputation API. http://www.fengnu.net.cn/blog/enable-active-phishing-protection-with-domain-reputation-api/ http://www.fengnu.net.cn/blog/enable-active-phishing-protection-with-domain-reputation-api/#comments Tue, 03 Sep 2019 08:00:14 +0000 admin http://www.fengnu.net.cn/blog/?p=2218 In the digital world, just as in the real one, reputation matters. While in real-world dealings and transactions there exist multiple ways in which we can gauge the reputation of a person or organization with which we have to engage … Continue reading ]]>

In the digital world, just as in the real one, reputation matters. While in real-world dealings and transactions there exist multiple ways in which we can gauge the reputation of a person or organization with which we have to engage in any capacity, the complexity and sheer volume of the web makes this task exponentially difficult in the virtual world.

The modern economic and technological landscape has silently nudged us into a world of online social interactions, financial transactions as well as business dealings. This has resulted in a large amount of data being stored in and exchanged across digital media on a daily basis.

Consequently, data has emerged as the new currency in the cyber-world, and this is exactly where cyber criminals can take advantage of security loopholes and compromise sensitive and financially significant information.


Domain Reputation: A Key Factor In Effective Security Measures

The cyber-world has made it increasingly convenient to set up and run websites. However, this very same feature has made it easy for cyber-criminals to set up malicious websites and host malware that can severely compromise data and network security, resulting in information leaks that can have potentially disastrous consequences. In such a scenario, careful reputation analysis of any online entity becomes imperative before connecting with the same.

The Domain Reputation API can prove to be a significantly useful tool for assessing the credibility of any online resource. This has multiple use-cases in the field of cyber security. The uses to which the Domain Reputation API can be put are best described by the following hypothetical situation.


The Crime

John receives an email from his bank asking him to take part in an investment scheme with attractive returns. Being a budding investor, John is interested and clicks on the email link to visit the associated webpage.

There, John logs in to a page which asks him to input his bank details and credit card number along with the CVV; this, he learns, is essential for being eligible for the scheme. Unsuspecting, John does the needful and receives a confirmation that his name has been registered for the process.

Later in the day, John learns that several transactions have been made from his bank account, and a considerable sum has been stolen. John realizes he has become the victim of a cybercrime, and immediately contacts the authorities.


How Domain Reputation API Provides The Solution

The above scenario is a classic case of a phishing scam, where the victim is lured by email into revealing sensitive information. A cyber-security professional looking into the above case can take the help of Domain Reputation API to detect the perpetrators and prevent further occurrences of the same act.



How exactly does this work? Let’s find out.

Cyber security professionals can approach the case in the following way: it is evident that the victim was lured to a domain which was probably similar to his bank website. The perpetrators impersonated his bank and thus gained access to his banking details. The problem, in this case, would be to speedily identify the source of the offending website and apprehend the perpetrators.

A scan with the Domain Reputation API can reveal multiple data points which may prove essential in resolving the case. The scan assigns a reliability score to the website which is indicative of its level of risk. The API performs a complete infrastructure check, along with, a malware scan to determine the domain or IP address’s proximity to risk.

The Domain Reputation API also provides an added advantage in the form of Predictive Scoring. The predictive scoring method utilizes advanced algorithms that use real-time, dynamic datasets to assign a reputation score to domains immediately after registration, regardless of whether they have any past records of being considered risky or not.

This significantly speeds up the threat detection and prevention process by warning cyber-security professionals of potential security risks before even visiting the website. The utilization of predictive scoring can prove indispensable to the timely recognition of any potential threat and adopting protective measures.

Combined with different tools like Whois & Reverse Whois professionals can quickly identify the person or organization in whose name the offending domain has been registered or other domains connected with them. Using this information, the authorities can take the necessary steps to bring in the offenders & prevent any future threats.



The above use-case effectively demonstrates one of the varied uses to which the Domain Reputation API can be put. By providing cyber security professionals with an effective tool for quickly identifying risky domains, the Domain Reputation API takes an important step towards a safer web.

http://www.fengnu.net.cn/blog/enable-active-phishing-protection-with-domain-reputation-api/feed/ 0
Finding Hacked Websites! http://www.fengnu.net.cn/blog/finding-hacked-websites-2/ http://www.fengnu.net.cn/blog/finding-hacked-websites-2/#comments Thu, 29 Aug 2019 15:38:13 +0000 admin http://www.fengnu.net.cn/blog/?p=2206 If you are a website administrator, web-business owner or even a compulsive blogger, waking up one fine day to realize that your website has been hacked can become your worst nightmare. The internet is becoming more and more complex by … Continue reading ]]>

If you are a website administrator, web-business owner or even a compulsive blogger, waking up one fine day to realize that your website has been hacked can become your worst nightmare. The internet is becoming more and more complex by the minute; in this ever-changing environment the task of ensuring that your website is free from malware and viruses, as well as protecting your domain from any unauthorized intrusion, is taking on an increasingly complicated nature that requires constant vigilance and professional care.

But what are the simplest signs that your website has been hacked? Let’s find out.

Explicit Website Hacks

Sometimes, realizing that your website has been hacked can be as simple as not being able to access it. This usually happens when your domain name and Whois server accounts have been compromised by a malicious entity. Such hacks can also take the form of website defacement; in such a scenario your website content is usually defaced or replaced by objectionable material or entirely unrelated content. Sometimes, you may find that your domain name is now linked to a web property that has nothing to do with you.

A hacked website can cause severe damage to the credibility and authenticity of your website. Interestingly, hacks which actually allow you to recognize that your website has been compromised may be tackled relatively easily as they allow the opportunity of instant detection and rectification. Sophisticated website hacks, however, are harder to detect and correct.

The Hidden Hack

Most website hacks won’t allow you to understand that your website has been hacked at all. Advanced hacking techniques are designed in a manner which makes it very difficult to detect them. As a result, hackers can continue with their activities unhindered. Such website hacks, which may target Domain Name Server (DNS) or Whois servers, are serious breaches. Using these routes hackers can compromise the integrity of your website in any of the following ways:

  • Collect information regarding your website.
  • Steal the credentials and monitor the usage patterns of your website visitors.
  • Install and spread malware to other computers and websites connecting to your web property.
  • Divert your website visitors to other malicious sites.


These are only some of the ways by which such hidden website hacks can harm your site. If not addressed in a timely manner, such attacks can easily destroy the credibility of your website or online business.

How To Detect A Hacked Website?

While explicit hacks make themselves pretty obvious, detecting advanced hacks such as attacks on Whois servers are best handled by professionals who are experienced in such matters. Security experts take into account varied factors and employ techniques to determine if a website has been hacked. Some of these are listed below:

  • Whois Record Anomalies- Sudden changes in your Whois records, as well as domain expiry, can lead to your website being compromised. In case you notice any change in the information of your Whois records, or have neglected to renew your domain registration for extended time periods, then your web property can become a prime target for hackers. To prevent such compromises, make sure your Whois data is properly updated and you monitor your valuable domains.
  • DNS Monitoring- The DNS service is another common target for hackers. DNS runs behind the scenes and hence is easily ignored. Furthermore, DNS configurations are often difficult to fortify against attacks. This leads to cyber-criminals using exploits such as Cache Poisoning and DNS Resolver Modifications to redirect traffic to illegitimate destinations. Keeping your DNS software up-to-date and restricting zone transfers can be effective ways to guard against such hacks.?


  • Finding Malware Signatures- Experts can detect whether your website has been exposed to malware by scanning your site’s Whois server and associated resources for anomalies and malware signatures. Updated malware detection techniques allow prevention as well as timely containment in case of an infection.
  • Checking Source Files- Often, website hacks can manifest themselves in the form of anomalous code in the source files of a website. Therefore, a thorough examination of the source code can reveal any problems that may be lurking beneath the surface. Hackers often insert malicious links inside source code. A professional analysis can help detect any such problems.
  • Monitoring Site Traffic- The nature of a website’s traffic can often be a good indicator of whether the site has been compromised or not. Certain website hacks often result in unusual fluctuations in website traffic. If such spikes and drops in website traffic become intense, it may be a sign that the website has been hacked.

Protecting Against Future Attacks

Once the website hack has been detected, the infected files must be separated from the clean ones and then scrubbed for removing the malicious code. Then they can be re-integrated into the website. Doing this requires professional expertise, and backups of all resources should be maintained to guard against possible mishaps during the recovery process.

The job of protecting the website does not end there, however. Websites and servers must be protected at all times using sound security practices. The traffic and usage patterns must be regularly monitored, passwords changed periodically, and Whois records must be protected to ensure privacy. Whois API, Inc provides Enterprise Tool Packages which can help you monitor & keep your domain name secure from malicious entities.

Final Thoughts

A hacked website can result in heavy losses for the website owner. However, by maintaining security best practices and using updated monitoring and protection tools, websites can be guarded against cyber attacks.

http://www.fengnu.net.cn/blog/finding-hacked-websites-2/feed/ 0
Registrar Solutions: Streamlining Complex Domain Name Processes http://www.fengnu.net.cn/blog/registrar-solutions-streamlining-complex-domain-name-processes/ http://www.fengnu.net.cn/blog/registrar-solutions-streamlining-complex-domain-name-processes/#comments Mon, 26 Aug 2019 05:40:27 +0000 admin http://www.fengnu.net.cn/blog/?p=2194 It can be hard to be in the domain registration business these days. Yes, there are millions of new websites launched every year under thousands of TLDs, leading to a highly dynamic landscape with lots of opportunities for registrars. Sounds … Continue reading ]]>

It can be hard to be in the domain registration business these days. Yes, there are millions of new websites launched every year under thousands of TLDs, leading to a highly dynamic landscape with lots of opportunities for registrars. Sounds good, doesn’t it?


But there’s also stiff competition — i.e., thousands of accredited domain registration firms currently in operation — which has resulted in a buyer’s market where a domain name can be acquired for as little as $10 or $20 a year. To be noticed in such a crowded market, registrars must distinguish themselves from the rest by delivering value-added and flawless services while keeping costs low.


With that in mind, to ensure customer satisfaction and smooth operations, registrars need access to critical and timely WHOIS information, notably on domain availability and expiration — that is, whether or not a given web address of your interest is actually available for the launch of a new product, service, or page in general.


Such information is available through third-party vendors like WhoisXML API. The company’s Registrar Solutions provides a real-time bridge to ample domain data through its WHOIS database and APIs. Let’s explore the necessity for domain registrations firms and advantages presented to them here.


Registrars and WHOIS: One Can’t Go Without the Other


There are strong interdependencies between WHOIS and registrars. Firstly, registrars are accountable for providing accurate statuses on both new and existing domain names and their registrants. While that doesn’t sound too hard, it’s actually a thorough job for major registrars, which must be able to seamlessly handle the reporting of hundreds of registrations daily or more often.


In fact, each registrar depends on the devotion of its peers to this centralization process of WHOIS records as administered by ICANN. Anyone who sells or renews a domain name but fails to report it immediately can create chaos and confusion — e.g., addresses registered twice, failed renewals, customer complaints, legal actions, etc.


In short, everyone is better off with accurate WHOIS data that prevents such lapses and keep all registrars on the same page. Yet, what’s the role of companies like ours in making it all possible and effortless?


A Closer Look at Registrar Solutions


WhoisXML API and its Registrar Solutions provide registrars with streamlined access to WHOIS databases without having to spend time and effort developing the backend. The company sets up and manages public WHOIS services that give registrars secure and reliable domain registration, management, and transfer services.


Registrars can leverage the service and therefore devote full attention to their core business while having a dependable WHOIS operation taken care of for them. It can be used to implement the daily activities that include checking whether a domain name is available or has expired, facilitating domain transfers for their owners, and checking historic data to verify ownership and other details.


Whatever purpose may be required, customers can be assured they will find what they need. This is made possible through WhoisXML API’s extensive WHOIS databases, which contain 6+ billion WHOIS records, 582+ million domains being tracked, 2,864+ TLDs and ccTLDs, and 99.5% of all known IP addresses.


Besides tracking data, our Registrar Solutions can be instrumental in assisting law enforcement as it helps registrars uncover and report domains that are involved in phishing scams or cyber-attacks. Registrars can also check the validity of reports from users claiming malicious activity from certain domains to ensure that suspicious websites are promptly removed to avoid penalties.


Moreover, registrars can help their clients to track keywords of their interest, which allows them to quickly acquire the expired domains that used them. Specific keywords can also be monitored to discover market trends that call for offering particular domain names for sale. Additionally, registrars can take notice of such value-added services as brand, trademark, or domain monitoring.


Working with WhoisXML API


Our key differentiator is extensive, reliable, and easy-to-use domain data. To make that happen, we continually send a series of DNS and WHOIS requests to gather all the available information on any particular domain name. The result comes in both raw and well-parsed and normalized formats and includes accurate information about the domain owner; the domain registrar; the dates when the domain was registered, updated, or expired, along with a list of DNS records and other relevant domain details. Additional information regarding the host of a specific domain’s Web server, mail server, and DNS is also provided.


Additionally, WhoisXML API has a team of experts that are available for consultation concerning every aspect of WHOIS and domain management. A customized solution package can be prepared according to particular requirements which can be discussed during the consultation. Registrars may also send in their specifications, and we’ll promptly get back to them with a corresponding plan and price.



Registrars think, live, and breathe domain names, and they need continuous access to domain data for multiple functions. Signing up for our Registrar Solutions will take a huge load off their shoulders and give them more time to pay attention to their core markets.

http://www.fengnu.net.cn/blog/registrar-solutions-streamlining-complex-domain-name-processes/feed/ 0
Research Any Domain’s History With Whois History API! http://www.fengnu.net.cn/blog/research-any-domains-history-with-whois-history-api/ http://www.fengnu.net.cn/blog/research-any-domains-history-with-whois-history-api/#comments Mon, 19 Aug 2019 02:31:24 +0000 admin http://www.fengnu.net.cn/blog/?p=1239 With thousands of new domain names registered every day, billions and billions have been registered over the years. And these have undergone multiple ownerships or even registration changes over time. These could be modifications to the domain’s registrar or associated … Continue reading ]]>

With thousands of new domain names registered every day, billions and billions have been registered over the years. And these have undergone multiple ownerships or even registration changes over time. These could be modifications to the domain’s registrar or associated name servers or even changes in contact details, to name just a few.


Aging domains have a history and we at WhoisXML API can help you delve deeper to understand a given domain’s past with WHOIS History API. Professionals conducting research for cybersecurity or investment purposes can hugely benefit from uncovering a domain’s lifecycle to find out if it has ever had a checkered past or draw connections that may not be easy to see at the surface level.


Table of Contents



Why a Domain’s Past Matters


We all know that if we’re interested in purchasing a domain name for our company website, the easiest way to do so is by approaching a domain registrar. So we go online and look for domain registrar recommendations and find the most popular ones. And that’s hardly surprising, as any business would want to be served by the best. So we contact them and get a list of available domain names that would best fit our business requirements. We sift through the list and settle on one from, say, the top domain registrar according to our online research. Weeks after, perhaps, we launch our website and visitors start pouring in. Business is going well, that is, until we receive customer inquiries on our site’s involvement in a cyber attack.

Why a Domain’s Past Matters

Are we being hacked? Has our website recently been owned so we’ve been directing visitors to phishing sites? We dig deeper. And after several conversations with the complaint filers, we realize they dug something up from our domain’s past. As it turns out, our company isn’t to blame, our domain’s shady past is. We should have known better to have found everything we could on our domain’s history before actually buying it. Too late for that though so we do the next best thing—we issue a statement on our website severing us from ties to any malicious activities and assure our visitors that our pages are safe to visit.


If you don’t want to be in this kind of situation, you’ll need to be more careful when acquiring domains. One way to do that is by using a WHOIS history API, search, or lookup tool that will give you all the information you need on a domain. And we’re not talking about just its current state but its past (no matter how clean or sordid it is) as well.


Looking into a domain name’s entire history is critical if you don’t want to be hounded by skeletons in its closet once your business is already up and running. Here are just some of the possible reasons why:


  • SERP violations: In general, old domains are more likely to get better SEO rankings because they have been online for quite some time. But that’s only good if they were ranked for a good reason. Typical examples of this would be great content, tons of visitors, and so on. But some aged domains may have been abandoned by their former owners because they had been flagged for violations. That said, no matter how good your SEO strategy is, your pages will never get good rankings because they’ve been marked for bad behavior. Be sure not to end up with such a domain or you’ll suffer the consequences of its previous owner’s wrongdoings.
  • Ties to cybercrime and cyber attacks: The domain could have been involved in a past crime. Cybersecurity solutions block access to identified malicious URLs from their customers’ systems. If that’s the case, potential clients who wish to visit your website would always be alerted to its insecurity (based on historical data) through warnings. They’ll never reach your site and that means lost opportunities for your company. Compromised URLs that end up as unknowing accomplices to cybercrime also get named in threat reports and news. That’s most likely how the site visitor in our sample scenario ended up complaining about our site’s safety.
  • Hijacked domains: Not all domains that end up seemingly “available for use” have been lawfully obtained. Some could have been stolen from other individuals or organizations. And the only way you can use them is because they have been compromised by the ones selling them. This is easy to do with insufficiently protected domains. Make sure you don’t end up buying a stolen domain or you just may lose more than you gained.
  • Ties to unscrupulous content and activities: Some websites may have been taken offline by the authorities because they contain malicious content (porn, etc.), sell fake goods and services, or have ties to illegal activities. Make sure the domain you’re currently eyeing didn’t play host to such sites or you’ll land in hot water.
  • Handing your personal data and money to fake registrars: Not all registrars that advertise on the Web, especially those who offer really low prices, are legitimate. If you’ve got your heart set on a domain and finally found just one registrar that offers it, conduct extensive background research on the seller first. More often than not, the most promising domain names are already taken and just because you found someone offering your dream domain doesn’t mean you’ve hit the jackpot. Be very wary about hard-to-believe offers, as they almost always end up being false. You may just be taken in by a fake domain registrar.


Domain registrars often buy domains in bulk for reselling. They may not have had time to check all of their purchases’ past (or may just not care). It doesn’t help that even the best and most reputable registrars have also had brushes with the law. Take a closer look at these noteworthy incidents:


  • Alibaba Cloud Computing: Several domain names tied to an Android supply chain attack just this June were reportedly registered by this provider. The attack perpetrators used these domains to preinfect Android-based smartphones with malware before they even came off the rack and made their way into mobile phone shops.
  • Google Cloud Platform: Thousands of vulnerable D-Link routers were affected by a spate of traffic redirection attacks. Hackers abused the provider’s network to reroute the traffic that passed through affected routers to malicious sites, putting the victims’ systems and the data they contain at great risk just this April.
  • Namecheap: Sometimes, the more popular a registrar is, the more likely cyber attackers will go after it. That’s because halting its operations means affecting a greater number of websites. This is a lesson that providers such as Namecheap and other big names like it learn the hard way.


But since you’re the one whose brand and therefore reputation is at stake, you want to make sure you won’t regret using the domain name you chose.


Dig deep into the past of your business’s gateway—your domain—so its ghosts won’t end up haunting you with WHOIS History API.


What WHOIS History API Reveals


Every company website has its own WHOIS record. It’s required by law. And any site owner who provides false information on this record is penalized (his ownership is rendered null and void). That said, all registered sites’ WHOIS records are stored in a database that anyone can access through API, search, or lookup tools. There are tons available on the Web today though not all of them let you do historic WHOIS lookups — the kind you need to do to find out everything about a domain name’s past.


Apart from providing typical information found in a WHOIS record — registrant and billing, administrative, and technical contact name and details; registrar; nameservers; registration and expiration dates; and so on — you need a WHOIS history search tool that will give you data on how many changes (registrant, contact details, nameservers, etc.) a domain has undergone throughout its existence and when these occurred. That way, you can find out if it has been involved in any kind of activity that can be harmful to your business. If our sample scenario has taught us anything, that means don’t purchase that domain name.


When looking into a WHOIS record, don’t stop at finding out all you can about its content. Look for signs of malicious ties as well to its registrar, registrant, contacts, nameservers, and everything else on its historical records.


But what makes a great WHOIS history API, search, or lookup tool? Find out in the next section.


What You Should Look For In A WHOIS History Database


A WHOIS history API is only as good as its source — the WHOIS history database it’s hooked to. A good database is one that contains billions of WHOIS records that span the entire TLD space. It not only has records on domains that use popular gTLDs such as .com, .net, and .org, but also the more uncommonly seen ccTLDs like .tk, .ru, and .cn, along with those that sport newly created gTLDs such as .xyz, .biz, and .shop. Look for the complete list of TLDs that it supports so you can check if it’s as comprehensive as it says on its website. Choose a provider that has been in the business for a good long while. That’s one way to find out how reliable its product is. It also gives you an idea of how far back its domain historical data goes. Is it recommended by reputable companies? That will help you make sure that it’s not just tooting its own horn. Find out what its clients actually say about the tool.


WHOIS History API gives you access to:


  • More than 5.2 billion WHOIS records
  • More than 582 million domains
  • More than 2,864 TLDs
  • More than 10 years’ worth of WHOIS data


Because the tool contains a consistent set of WHOIS information, it can be easily filtered based on date (registration, expiration, and modification) for easy analysis.


WhoisXML API has been in the business for almost a decade with product recommendations from more than 50,000 of today’s biggest online brands such as Apple, Amazon, GoDaddy, and more. Backed by a solid foundation, WHOIS History API can give you timely, accurate, and relevant information on any domain throughout its life cycle to meet several business needs—cybersecurity, brand protection, fraud investigation, and many more.


To get a glimpse of the many benefits that a WHOIS History API provides, see the list we compiled in the next section.


What You Can Do With Historical WHOIS Data


What You Can Do With Historical WHOIS Data

Historical WHOIS data can be useful for many kinds of business applications in various industries. Here’s a list of who can benefit from using WHOIS History API and how:


Potential User Practical Uses
Cybersecurity professional Gather currently hidden information on a privately registered website by looking at its history
Domain registrar Sift through registrant changes to make sure the domain you’re looking to buy doesn’t have anything to hide
Fraud investigator Find out how long a case has been occurring by going back in time to look at a domain’s entire life cycle
Marketing professional Get to know your customers better to keep them coming back for more


With WHOIS History API, you get a whole lot more information than you would normally find in a regular WHOIS record. To ensure your business’s future success, it’s not enough to focus on what’s right before your eyes, it’s also critical to carefully assess the past so you can avoid bad surprises when you least expect them.


WHOIS History API results can be downloaded in two easy-to-read-and-decipher formats —JSON (readable on any text editor such as Notepad on Windows and TextEdit on Mac OS) and XML (readable on any spreadsheet application like Microsoft Excel on Windows and Numbers on Mac OS). You don’t need to purchase additional software to use it. To see sample WHOIS History Reports and nifty tips and tricks on using it, visit this page.


WHOIS History API is just one of the many tools in WhoisXML API’s Enterprise API Package. To get the most out of domain monitoring, use it with these other tools:


  • Enterprise Data Feed Package: This works best for users who prefer sifting through and analyzing data offline. It comes with:
    • WHOIS Database Download: This provides partial or complete historic domain information that can be customized according to your business needs.
    • IP Geolocation Data Feed: This is an exhaustive and precise IP geolocation database that is updated on a weekly basis.
    • IP Netblocks WHOIS Database: This lets you find out which IP range a particular address belongs to, along with its owner’s contact and other information.
    • Domain IP Database: This gives you access to the biggest passive DNS database that works particularly well when you’re conducting cybersecurity research.


  • Enterprise Tools Package: This, meanwhile, works best for those who prefer working with data online. It comes with:
    • Domain Research Suite: This enhances your domain research toolkit with enterprise-grade Web-based solutions that help you search for and monitor domain-related data. It comprises:
      • Reverse WHOIS Search: This lets you find all domains containing specified search terms in their WHOIS records.
      • WHOIS History Search: This is WHOIS History API’s Web-based counterpart for those who want to find all there is to know about a domain’s past on a Web interface.
      • WHOIS Search: This allows you to get all the key data points related to a domain name you’re interested in.
      • Domain Availability Check: This lets you find out if the domain name you want to purchase is available for registration.


    • Whoisology: This is an advanced reverse WHOIS tool that lets you find deep connections between domain names and their owners. It was primarily designed for cybercrime investigations, intelligence gathering for infosec and corporate use, conducting legal research, and business development.
    • Threat Intelligence Platform or TIP: This is a set of enterprise-grade threat intelligence tools for optimal threat detection and analysis. It makes use of the following APIs:
      • Domain’s Infrastructure Analysis API: This lets you research servers’ infrastructure beyond their domain names.
      • SSL Certificates Chain API: This obtains a domain’s SSL certificate, along with its certificates chain in a well-parsed JSON format.
      • SSL Configuration Analysis API: This allows you to check a host’s SSL connection and analyze it for common configuration issues.
      • Domain Malware Check API: This lets you check if a domain name has ties to malware.
      • Connected Domains API: This lets you discover domain names that resolve to the same IP address.
      • Domain Reputation Scoring API: This allows you to evaluate a domain’s reputation based on several security data sources using an instant external configuration auditing procedure.


Whether used as a standalone tool or in combination with other domain monitoring and research tools, WHOIS History API is sure to give you all the information you would need to make sure your domain is as threat-free as it can possibly be, thus ensuring not just your company’s safety, but also that of your employees, clients, partners, and other stakeholders.


WHOIS History API will not only give you useful insights into the entire history of the domain you’re interested in purchasing, it can also help you beef up your company’s security posture by blocking sites with known ties to malicious actors and activities; get to know your customers, partners, third-party suppliers, and other stakeholders better so you can enhance the way they do business with you; spot domains with potential tie-ups to outstanding fraud cases; and so much more. How? The next section will tell you.


How WHOIS History API Works


Immediately after registering for the service, you can start reaping the benefits of WHOIS History API. Here’s how:


  • 1. Log in and type the name of the domain you wish to see the history of into the search field.?
  • 2. You will see how many historical records the domain has had over the years beside “Historical records discovered” and how much the reports would cost if downloaded in either XML or JSON format next to “Report price.”?
  • 3. Below these, you can see a preview of the reports you can download. You can filter information by update date, registrar name, WHOIS server, and other WHOIS data.


Now you’re all set, you can dig as deep as you want on any domain’s past. The next question you need to answer is “What specific threats should you be looking for to make sure your domain’s past won’t haunt you?” The next section gives you an idea.


Specific Threats in Your Domain’s Past That Can Harm Your Business


Although the World Wide Web allows users to transcend boundaries set by time and space, it is also chock-full of threats that any business wouldn’t want to be caught having ties with. With WHOIS History API, you can look out for these to make sure your domain’s past won’t cause you grief:


  • Phishing: Cyber thieves sometimes hijack insufficiently protected websites to redirect users to their own specially crafted data-stealing pages laced with keyloggers to siphon log-in credentials.?
  • Spamming: Threat actors normally spoof popular companies to send out spam that either come with malicious attachments that, when opened, infect users’ computers with malware (typically data stealers) or links that point to websites that drop malware onto users’ systems.?
  • DDoS attack: One way by which cyber attackers hide traces is by using compromised sites to do their malicious bidding. In DDoS attacks, for instance, they transform vulnerable sites into bots that disrupt the operation of their targets.?
  • Cryptocurrency-mining malware: Cybercriminals typically plant these into company websites so they don’t use up their own resources to generate cryptocurrencies that they can use to fund their operations or sell for profit.?
  • Business email compromise or BEC: Also known as email account compromise or EAC, fraudsters typically pretend to be C-level executives of organizations to trick employees who have access to financial resources into transferring huge sums of money into the attack perpetrators’ accounts.?
  • Malvertising: Cybercriminals typically plant malicious advertisements in unsecured sites so they won’t need to create their own websites or pages just to get to victims. They just need to bait compromised sites’ visitors into clicking their ads.


This list is by no means exhaustive. Any ties to an online attack, even if it happened years ago can land your business in hot water. Remember that security companies and authorities can block access to your domain, IP address, or website when these are used in any kind of cyber attack. So even if you’re an innocent victim or unknowing accomplice, your company may suffer dire consequences. This is exactly why you need to ensure your domain’s safety at all times and why it’s important to know everything about it before you even start using it. Your domain’s past can make or break your business’s current and even future state.


Concluding Thoughts


Your domain is your business’s online home. It’s the place where employees feel safest. And so you should make sure it will not get hacked, thus not putting your staff at risk. It’s also where you welcome guests so make sure it won’t serve as host to malware or redirect them to malicious sites. That’s why you must always make sure it stays protected against all kinds of online theft. And to some, it’s also where they work and so it must remain secure from anyone who wishes it any harm.


Don’t let your name suffer just because you happened to choose a domain name with a shady past. Remember that a name is only as good as its history. What good would a great domain name do if it comes with a lot of unwanted baggage? Use WHOIS History API so you won’t need to clean up your act even before you make a mistake. Living with your past mistakes is hard enough, so why live with someone else’s?


More Information on WHOIS History API


For those interested in putting WHOIS History API to work, note that it is part of our Domain Research Suite. As such, API requests are charged in so-called “DRS credits.” This is a convenient way to use all of the products in the suite with a single subscription that works for both the APIs and Web-based search tools. Costs vary according to the operation you require. One WHOIS History API request costs 50 DRS credits.


Signing up is free of charge and gives you instant access to the API. We also offer one-time purchases to those who don’t have a recurring need for domain information. Monthly and annual subscriptions packages, meanwhile, should serve those who regularly use domain data better. For more detailed pricing information, see the pricing table on this page.


If you’re looking for more customized plans, feel free to contact WhoisXML API at sales@whoisxmlapi.com. What are you waiting for? Find out all you can about any domain’s past with WHOIS History API.

http://www.fengnu.net.cn/blog/research-any-domains-history-with-whois-history-api/feed/ 0
Who Has Been Acquiring the Web? Newly Registered Domains Can Tell You http://www.fengnu.net.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/ http://www.fengnu.net.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/#comments Tue, 13 Aug 2019 05:22:54 +0000 admin http://www.fengnu.net.cn/blog/?p=2184 Connectivity is a double-edged sword. Though it makes reaching almost anyone and anything with an email address or a website a breeze, it also puts all things online at the mercy of cybercriminals and unfair competitors who are always on … Continue reading ]]>

Connectivity is a double-edged sword. Though it makes reaching almost anyone and anything with an email address or a website a breeze, it also puts all things online at the mercy of cybercriminals and unfair competitors who are always on the lookout for benefiting from established brands using malicious copycat or similarly misleading sites registered under new domains.


There is no doubt that one of a company’s greatest assets — its customer or client portal — is its website. It can be likened to a shop’s front door. And let’s face it, we all want to keep thieves and infringers out of our places of business.


To make this happen, you need a strategy in place, and one which involves keeping track of all new and disguised players on the web — a process that can be aided by an effective domain-monitoring tool such as Newly Registered Domains. If you are still wondering why you should care about recent domain registrations, read on to find out.


Why Should I Worry About Newly Registered Domains?


Your domain name is your unique identifier on the Internet. All of your virtual real estates are tied to it. And that’s true for everybody else. In fact, every company that has an online presence is required by law to register their domain names, and all the information on these is stored on WHOIS records.


In turn, each WHOIS record contains up-to-date information on every domain name including its registrant’s, registrar’s, administrative, billing, and technical contact’s names, along with their company and contact details (street and email address and phone and fax numbers). Regularly updated WHOIS records also show when a domain name was registered, all its modification dates, and when it will expire, along with its name servers.


Sounds pretty thorough, right? Now that it’s put in context, that information regarding new domain registrations can tell you a lot about your business environment and its latent threats — especially as events of fraud and misconduct take place with recently registered or expired names which haven’t caught the attention of anyone just yet.


For example, you or one of your business partners or vendor might be the target of an impersonation attack that may deceive your employees or customers into downloading corrupted files, passing on confidential data (intellectual property, customer and employee information, etc.), or revealing their credentials to a key system or application for managing business operations.


What Can Newly Registered Domains Do For You?


Newly Registered Domains is a dynamic service that gives you access to the data feeds of recently registered or expired domains, along with related WHOIS information updated daily. It can:


  • Provide timely information on domains as they are registered, changed, or dropped via WHOIS data feeds
  • Give frequently updated WHOIS data feeds no matter how many times these undergo changes daily
  • Let you access WHOIS information even on domains that reside in the gTLD space


More specifically, take a look at just some of the ways by which Newly Registered Domains can help you:


Beef up your company’s IT security posture Cybersecurity professionals who are handling malware, phishing, and other cyber attack investigations can rely on daily domain alerts to speed up threat detection and response.
Be the first to acquire domain names you’ve set your heart on A name can be everything in a competitive business environment. With Newly Registered Domains, you can be the first to know when an active domain name becomes available again as its current registration expires.
Look out for potential intellectual property violations Brand protection companies can rely on real-time alerts to spot attempts to spoof a client’s brand or abuse its trademarked assets, as well as finding the necessary contact details in WHOIS records to engage legal procedures.
Stop fraudsters from harming your customers Payment processors, banks, and other financial service providers can prevent fraud aided by WHOIS data feed alerts before or as they happen.
Use the latest data to keep competitors at bay Marketing practitioners can use up-to-date statistics to keep track of and beat the competition as they introduce new similar products or enter new markets.
Monitor the health and safety of your entire domain portfolio Domain owners who have offices in multiple locations that maintain their own websites and pages can keep tabs on all of their virtual holdings to address issues as they crop up.


Whatever business you run online, your company is sure to make the most of the many benefits that Newly Registered Domains provides. In a world where a cyber attack occurs every 39 seconds and online competition has gone global, every company with an online presence needs to stay secure from all sorts of digital threats.


We can help you make it a number 1 priority to keep your digital properties and intellectual property safe and healthy. To find out more, contact us today at support@whoisxmlapi.com.

http://www.fengnu.net.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/feed/ 0
How Bulk Whois API Can Boost Your Business http://www.fengnu.net.cn/blog/how-bulk-whois-api-can-boost-your-business/ http://www.fengnu.net.cn/blog/how-bulk-whois-api-can-boost-your-business/#comments Tue, 30 Jul 2019 08:00:08 +0000 admin http://www.fengnu.net.cn/blog/?p=2160 It can be said without a doubt that businesses of the 21st century are all geared towards the internet. With rapid advancements in digital technology and the exponential growth of the online ecosystem, it hardly comes as a surprise that … Continue reading ]]>

It can be said without a doubt that businesses of the 21st century are all geared towards the internet. With rapid advancements in digital technology and the exponential growth of the online ecosystem, it hardly comes as a surprise that businesses have to maintain a considerable presence on the web in order to cater to the needs of the online population. Apart from this, the rapid proliferation of the internet into even the most remote corners of the world has opened up new business avenues and markets that were previously difficult to access, or even altogether unavailable for business. This has naturally incentivized businesses to move online.

However, as with everything, there is a flipside to this as well. According to the latest statistics?there are currently well over 1 billion websites on the internet, and this number is growing every second. This creates an environment where much of the business interactions are carried out on digital platforms. As a result, the requirement for trust establishment becomes a vital factor in the scheme of things. When you are dealing with an online entity it helps to know the person behind the (web) page.

Bulk Whois API is our latest endeavour to help you do exactly that, and more.



Salient Features of Bulk Whois API

Bulk Whois API helps your business by allowing you to gather Whois information for a vast number of online properties that can be used to power, and provide direction to, your business. Along with our product Bulk Whois Search, Bulk Whois API offers the following capabilities:

  • Bulk Whois search provides records for domain names and IPs of your choosing, thus allowing you to make better business decisions when it comes to navigating the web.


  • Accessing up to 500,000 domain records per query means you don’t have to search for each individual domain separately.


  • Gathers key data points such as registrant name and organization, email and contact information, domain availability and expiration date and much, much more.


  • Query results are well-parsed & normalized and returned in easy to integrate XML and JSON formats.


  • Allows direct API integration for automated data access by your business processes, thus eliminating the need for manual fetching and using of data.



How This Boosts Your Business?

By providing your business with such a large range of information, Bulk Whois API can help your business in some of the following ways:

  • Expanding Your Business Network- The use of bulk Whois data can allow you to gather information about other players in your business niche, or even across verticals so that you can easily approach them for strategic partnerships. This helps to grow your network of contacts which is one of the prime factors that decide the success of a business.


  • Protecting Against Cybercrime- Bulk Whois API helps to secure your organization against potential cyber threats and frauds. In the vast complexity of the online world, protecting against cybercriminals is one of the top concerns of all business owners. Fraudulent websites often aim to deceive business owners by posing as legitimate partners or clients. Falling prey to such scammers can often result in massive losses. Bulk Whois API provides cyber-security specialists access to useful intelligence against such unscrupulous players and prevent frauds before they happen. Bulk Whois data is also useful for tracking down the perpetrators in case of a cyber-attack.


  • Enforcing Brand Uniqueness- With such a massive number of websites out there, it is very important for every brand to associate itself with a domain name that is uniquely reflective of its ethos. However, closely similar domain names can seriously undermine the value of a business by misleading both existing and potential customers. Bulk Whois data helps in this regard by identifying the entity with a domain similar to yours. This enables you to contact the person or persons concerned and reach a resolution. In the event of copyright violations, Whois data can help to pinpoint the offenders and initiate required legal action.


  • Boosting Marketing Efforts- Bulk Whois data can prove to be a focal point in your marketing efforts. Whois data can provide valuable insights that can steer your digital or offline marketing efforts in the right direction.


  • Enabling Secure Financial Transactions- Bulk Whois API data helps to secure online payment systems against frauds and in the case of any impropriety, to detect and redress the situation with fluidity.




These are only a fraction of the ways in which Bulk Whois API can give a boost to your business. In a world of increasing complexity requiring constant vigilance, authentic Whois data can help your business achieve that extra edge. To access Bulk Whois API please click on the link:?https://bulk-whois-api.whoisxmlapi.com/

http://www.fengnu.net.cn/blog/how-bulk-whois-api-can-boost-your-business/feed/ 0
Domain Name System Primer https://main.whoisxmlapi.com/domain-name-system-primer Thu, 04 Apr 2019 05:51:14 +0000 admin https://main.whoisxmlapi.com/domain-name-system-primer

In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.


In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.

Table of contents

1. The need for name servers

1.1. What is DNS?

Any network of digital devices operates by using addresses - technical numbers which enable the identification of the nodes. On the Internet, these are IP addresses. However, it is always necessary to give human-readable names to the addressable resources, thereby turning them into "named resources". Consequently, there has to be a technique to map the names into addresses; this is done by name servers.

On a large-scale network, such as the Internet, there is a tremendous number of named resources. This poses requirements against the solution of name-address mapping:

  • There is a need for a method to organize and index names in order to efficiently find them in the system.
  • It has to be decentralized for several reasons:
    • The solution needs to be scalable in order to cope with the huge number of queries for name-address assignments to be served.
    • It has to be fault-tolerant; thus, there has to be some reserve in case any element of the required infrastructure is unavailable.
    • As the resources are run by physical entities (persons or organizations), it needs to be manageable so that the administration of certain resources can be delegated to their owners.

These requirements led to the introduction of the Internet Domain Name System in the early days of the Internet. This ecosystem has been playing a crucial role in the operation of this network ever since. Its specifications were laid down by Dr. P. Mocakpetris in as early as 1987, in the RFC documents 1034 and 1035. Though many subsequent RFCs have introduced modifications, the core functionality of the system still remains intact.

1.2. Domain name system and WHOIS

To meet the above-outlined requirements, the names of the resources are organized into a hierarchical structure. At the top, there is the name of the top-level domain (TLD), then the second-level domain (SLD), and any number of lower levels, each separated by dots, e.g., "www.example.net". In this way, the management of a sub-tree in the hierarchy can be delegated to the actual owner of the resources below the top of this hierarchy. The authority over the root domain of the Internet is with ICANN (Internet Corporation of Assigned Numbers and Names, www.icann.org).

Below this, for instance, is the TLD ".com" operated by Verisign (though the actual registrations of its sub-domains are processed via registrars accredited by ICANN), whereas "domainwhoisdatabase.com" is the courtesy of WhoisXML API, Inc. — we, as an organization, administer this SLD authoritatively. There are plenty of top-level domains on the Internet. A part of them is a so-called country-code TLD (ccTLD) maintained by the respective entities of the given countries, and there are generic TLDs (gTLDs) related to other entities. Domains are registered by registrars.

When someone, say a company, purchases as a registrant a domain name from a registrar, the latter submits, after the necessary agreements, technical data to appear in the zone files we shall describe later. After this, we say the domain name "will resolve", or get the respective IP addresses in the Domain Name System. The technical data are thus located in the DNS, along with some information about the registrant entity. But not all information, unfortunately.

By design, there is a protocol separate from those used for name resolution — WHOIS, the "phone book of the Internet" which assigns real names and contact data to the registrants, the physical entities the resource belongs to. The WHOIS sub-system is thus crucial in all questions related to the ownership of domains and IP addresses, but the accuracy of WHOIS data is not a technical requirement for the domain to operate.

Meanwhile, in the DNS, all the necessary data have to be present for this operation, but the ownership data are limited. This dichotomy of WHOIS and the other parts of DNS is frequently seen as a serious shortcoming affecting the security of both subsystems. And yet, we have to live with this, as it is a consequence of the approach of the founding fathers of the Internet whose initially saw it as a network of a more-or-less trusted and friendly community. Well, it is not quite what it became.

In the present document, we will not deal with the WHOIS subsystem anymore. Even though it is a part of the domain name system, the system itself is fully functional without it. Instead, we shall focus on name servers, since these are the first which come to mind when speaking about DNS anyway.

Before turning our attention to the actual operation of name servers and the DNS, we will mention briefly a few related topics which will not be covered in detail in this document as they are only loosely related to our main topic.

1.3. Multicast DNS

Consider a local network, possibly of many computers. It is natural to wonder whether they need the same technology as the whole Internet to manage named resources. Indeed, there is a simpler solution for them: RFC 6762 specifies the "Multicast DNS protocol", which does not employ dedicated servers to maintain the name-IP assignment. If a certain site needs the IP address of another, it simply asks all nodes: which identifies itself under the given name.

Obviously, this will only work out in the case of smaller and trusted networks, but it is a great simplification. In addition, the data formats of the mDNS protocol is 99% compatible with the standard DNS protocol (referred to as "Unicast DNS") in this context. However, as we are interested in the operation of the Internet on a large scale, involving authority and delegation questions, we will not go into the details of this protocol.

1.4. IPv6

Even though the number of possible IPv4 addresses, 232, is quite impressive, it can be foreseen that these possibilities will be exhausted at some point in the future. Hence, the IPv6, a new system of identification numbers of nodes of the Internet was developed. There will be times when your Web server IP will not look something like “” but, rather, more like "2001:0db8:85a3:0000:0000:8a2e:0370:7334".

The technology for this has been developed, including its support in the Domain Name System. But it is not yet prevalent and still, to some extent, in its experimental phase. So, we shall omit the details of IPv6 handling in the Domain Name System in the present document and focus on the currently common IPv4 system.

1.5. Beyond DNS: The dark side

When someone speaks of the Internet (with capital "I"), everybody considers the network we all use and refer to under this name. This is very much in line with ICANN's motto, "One World, One Internet". We have just concluded that DNS is needed for the efficient operation of this network.

But actually, a TCP/IP network has many layers, and it is just a broadly accepted convention that it should be used via DNS. We shall see that this system that enables finding resources consists of files describing the required access information and protocols to distribute and access them. But, fortunately or not, it is not impossible for someone to introduce an alternative system on the same physical network that might use completely different standards and yet still remain operational.

And still, it is feasible. What may be the most significant example is the Tor network. It is a totally different logical network running on our physical Internet. It is hard to judge whether it is good or bad. According to its developers, its main goal is to protect privacy and it is very beneficial for many benevolent actors who just want to avoid being tracked or eavesdropped on the Internet. In reality, however, it is known to be a home of the "Dark Web", the online world of crime and nasty things not to be detailed here.

The reason for us to mention this here is to point out that the Internet Domain Name System we describe here is not the only approach that exists on the physical IPv4 network, but it is what is running the thing we call the Internet. And currently (probably luckily), this is the most prevalent one.

2. Data behind the name resolution

2.1. Zones and zone files

A DNS zone is a contiguous portion of the domain name having a single entity delegated as its manager. In the tree of the namespace, a zone starts at the root of the given domain and ends either at a leaf node, i.e., host, or at the top boundary of other independently managed zones.

Zone files are the very containers of all data describing the information necessary for the name resolution of the zone. They are text files with contents standardized by RFC 1035. (Actually, there are certain conventions used by BIND, the most prevalently used DNS server implementation which does not comply fully with this standard, but they are now generally accepted.) Thus, zone files are both human-readable and machine-parsable: DNS software reads the information from these.

Our goal here is to obtain a basic understanding of the contents of zone files, as it is needed in order to understand DNS operations.

The contents of zone files can be subdivided into three types:

  • Comments
    Like virtually all kinds of computer code, they are necessary for human readability. Here, they start with the ";" character.
  • Directives
    These start with a "$" sign. They manage the processing of the file.
  • Resource records
    Those are the actual data lines describing the properties of the domain and the entities contained within.

Let us see a little example of a zone file:

$TTL86400 ; 24 hours could have been written as 24h or 1d; $TTL used for all RRs without explicit TTL value$ORIGIN example.com.@ 1D IN SOA ns1.example.com. hostmaster.example.com. (2002022401 ; serial3H ; refresh15 ; retry1w ; expire3h ;nxdomainttl )IN NS ns1.example.com. ; in the domainIN NS ns2.smokeyjoe.com. ; external to domainIN MX 10 mail.another.com. ; external mail provider; server host definitionsns1 IN A ;name server definitionwww IN A ;web server definitionftp IN CNAME www.example.com. ;ftp server definition; non server domain hostsbill IN A IN A IN A

Most directives are not very important to us, except for the mandatory $TTL directive which defines the Time to Live (TTL) value. This is the default duration for which the Resource Records can be saved or cached by another DNS server.

The $ORIGIN directive gives the name of the domain in argument, but it is optional. If provided, however, the value of $ORIGIN will be appended to it, if any name appears in what follows and it does not end with a dot character ".".

The reason for this is that the file should use Fully Qualified Domain Names (FQDN). That is, it should define the exact location of the domain name in the DNS tree, and the terminating dot here represents the root domain. In addition, the "@" character in the SOA resource record will be substituted for its value, in our example, "example.com.".

2.2. Resource records

From our point of view, the most important elements are the Resource Records (RRs), as they are the ones containing the information on the zone. Let’s see what they tell us.


The first one, the SOA (Start of Authority) RR, has to be the first, and it is mandatory. It is a multi-line RR. Looking at our example, it should be read as follows:

  • The "@" character is the name of the domain, now as $ORIGIN has been set, it will be substituted to its value, "example.com.".
  • The "1D" stands for one day; it is the TTL (Time to Live) of this very RR. If it is omitted, then the default $TTL would be used.
  • "SOA" stands for the record type.
  • "IN" stands for the network class, "Internet" in our case. In practice, it is always "IN" in zone files; there are some other possibilities, but they almost never appear in practice.
  • "ns1.example.com." is the Primary Master name server for this domain. It will be also specified in a separate RR, but it is mandatory here. (It can have a special meaning though when it is used with Dynamic DNS configurations).
  • "hostmaster.example.com." stands for an e-mail address, the first dot should be read as "@" — so it is "hostmaster@example.com". This is the administrative e-mail address for the zone, and according to the recommendation of RFC 2142, it is typically "hostmaster@domain".
  • "2002022401" is a serial number associated with the zone; this is essentially the version number of the information. By convention, it uses the format of a date "yyyymmdd" followed by a two-digit serial number specifying the version within the day. This field has to be updated every time a change is made to the zone.
  • The following time-type fields affect the operation of slave/caching name servers, which we shall describe in detail later.

Name server records. The first few fields are just the same as we saw in the SOA record. The "name" field is empty here, meaning that it is substituted from the preceding SOA record. (This is a general rule: if no name is given in any type of record, the "name" field of the SOA record shall apply.) No TTL is specified, so the default $TTL applies. Finally, in our example, we have "ns1.example.com.", the FQDN of a name server within the zone, and "ns2.smokeyjoe.com.", which is the secondary name server in some other domain, typically at some other location. This increases the robustness of the system — even if the infrastructure of the whole domain fails for some (possibly technical) reason, a name server somewhere else in the world is likely to be available. The organizations typically find partners to run their secondary name server on the basis of a mutual trade-off business (I back you up,, you back me up).


These are the default mail servers for the domain. The syntax is just as in the case of the NS records, apart from the additional number before the last record. This is a priority level: it is a number between 0 and 65535. The lower the number, the higher priority a given mail server has.


These are the very hosts. Each IP address which can be resolved has to have a name (this is the first field) and an assigned IP (this is the last one). Note that the same IP can have multiple A records, like the Web server "www", and Joe's machine, "joe" in our example. Also note that since $ORIGIN is set, "joe" will be substituted for "joe.example.com.", illustrating how useful this directive can be.


These are essentially aliases: the name in the first record is an alias for the name on the right. It can be used for many purposes. Importantly, the alias can point to a host outside the domain. A typical use of CNAME is to enable the Web server to be seen both as "example.com" and "www.example.com":

IN A IN CNAME example.com.

The first line defines an IP resolving to $ORIGIN, that is, "example.com.", whereas the second one defines "www.example.com." as an alias to "example.com."

We reached the end of our example, and, in fact, what we understand so far is almost completely sufficient for the operation of a domain. The only exceptions are the records of type "PTR", the ones needed for finding out the host name from an IP. This is the topic of "reverse mapping", which we shall address in Section 3.2.

There are many other types of special records. For a more exhaustive list, we refer to the following blog http://www.fengnu.net.cn/blog/dns-the-dark-knight-of-the-internet/ for a quick overview, or to the cited books for a more detailed account.

Having understood the structure of the information present in the domain name system, let us now proceed to how it is actually distributed and maintained.

3. DNS operations

Here we describe the operations of the Domain Name System. These are realized using dedicated protocols, involving both TCP and UDP communications. The standard port of this service is 53.

3.1. DNS Queries

This is the operation realizing the main goal of DNS: to translate names to IP addresses. Each networked device has a component, the stub resolver (or resolver in brief) for that purpose. If an application, e.g., a Web browser, needs the address of another system, e.g., for visiting "www.fengnu.net.cn", it will ask the resolver: "What is the IP address of www.fengnu.net.cn?" There are two possible ways for the resolver to get this information.

3.1.1. Iterative queries

This is the kind of query which must be supported by all name servers. The process, in this case, is as follows:

  • The resolver asks the locally configured default name server about "www.fengnu.net.cn".
  • The locally configured nameserver looks up the address in its cache, which is built from previous queries.
    • If it finds the address, it returns the answer along with the related CNAME records (aliases), and the query is completed. This answer is non-authoritative in this case.
    • If the required information is not there in the cache, the local name server replies to the resolver with a referral to the root server of www.fengnu.net.cn.
  • The resolver asks the root server for the list of authoritative name servers for the given TLD, ".com." in our case.
  • Using the answer, the resolver asks the TLD name server for the list of authoritative name servers of the SLD, ".whoisxmlapi.com." in our case.
  • Finally, the resolver asks the authoritative name server of the SLD about the IP address of "www.fengnu.net.cn", and receives the authoritative answer.

Apart from IP addresses (possibly with CNAME records and referrals), there can be answers showing a temporary or permanent failure, or reflecting the absence of the domain (NXDOMAIN), which are treated in the protocol just as one would logically expect.

Note that here all the communication went between the resolver and various name servers in several iterations, hence the name. No direct communication was going on between the name servers directly, i.e., there was no recursion. But it is easy to see then that if this was the only possibility, the cache of the local name server (or any other name server) would remain empty. Therefore, at least the local name server, and possibly some others, should support the communication to other name servers. This leads us to the need for the other type of query.

3.1.2. Recursive queries

This type of query is not necessarily supported by name servers. It enables communication between the servers and thus supports building a cache. Let us see our previous example now in a scenario where the local name server supports recursion:

  • The resolver asks the local name server about "www.fengnu.net.cn".
  • If the local nameserver finds the information in the cache, a non-authoritative answer is returned and the query is concluded.
  • In the absence of the information in the cache, the local DNS will ask a root server about the authoritative server of the TLD, ".com". A referral will be returned.
  • The local name server asks a name server of ".com." for the authoritative name servers of the SLD ".whoisxmlapi.com.", and a referral is returned.
  • The local name server asks the authoritative name server of ".whoisxmlapi.com" about "www.fengnu.net.cn".
  • The obtained information is returned as an authoritative answer to the resolver.
  • Meanwhile, the information is cached; it will live till the prescribed time (Time To Live, TTL), so if the same question is asked from the local name server again, there is no need to ask for referrals.

The errors and non-existent domains are also treated logically here. Note that the resolver does not receive any referrals in this case. Apparently, the main difference between this protocol and the previous one is that the handling of referrals is done now by the local name server and not the resolver itself, thereby also supporting the caching activity of the local name server.

3.2. Reverse mapping

So far, it is clear how we find out the IP of a host by its name. But in many cases, the opposite is needed: we have an IP address, and we want to know the name (or names, aka aliases) it belongs to. Even though the DNS was designed to have a special kind of query for the purpose, it has never been put into practice. Finally, it was even made obsolete by RFC 3425. It happened so that in the problem of finding a name for an IP, the "reverse mapping" can be handled using the same tools as the direct name to IP mapping with a neat trick. And indeed, this is the de facto way it is done. To understand the idea, however, we need some background information about the delegation structure of IP addresses.

3.2.1. Netblocks

Do IP addresses have a hierarchical structure like that of domain names? They should have one, indeed, as the responsibility has to be delegated not only for domains but also for IP addresses somehow.

The key to this is "Classless Interdomain Routing", CIDR, which we summarize here very briefly. (If you are interested in the details, an explanation can be found, for example, here: https://ip-netblocks-whois-database.whoisxmlapi.com/blog/who-owns-the-internet-ip-netblocks-whois-data-will-tell-you)

An IP address, say,, has 4 numbers between 0 and 255. In a binary representation, this is 4*8 bits. In our example, it will be 01101000000110111001101011101011. We keep the trailing zero as we need exactly 32 bits, but we omit the dots; they do not have any role from now on: the octets are concatenated, forming a single 32-digit binary number. This is the ordinal number of the machine.

The assignment of the authority over multiple IP addresses is done in netblocks: these are contiguous intervals of IP addresses. They are defined by fixing a given number of most significant digits.The address in the above example belongs to a netblock in the CIDR notation, which means the first 12 digits define the block, and the remaining less significant ones define the actual host. So, our IP is between the beginning and the end of this interval:

011010000001.00000000000000000000 = = =

How about the hierarchy? Clearly, if we put lower digits, we get a bigger interval, and all the smaller ones will be within that one. E.g., our netblock belongs to a higher-level one as well in the hierarchy,

01101000.000000000000000000000000 = = =

This is a very elegant way of subdividing the whole IP range into a hierarchy of contiguous intervals which either do not intersect or where one contains the other. And, indeed, the delegation hierarchy of IPs is arranged on this basis.

3.2.2. The reverse mapping domain

When comparing to the hierarchy of domain names and looking at the binary numbers representing the IPs as strings, we find a significant difference. In the case of domain names, the highest level in the hierarchy, the TLD is at the end of the string, whereas in the case of IPs, the bits, that is, the characters specifying the higher order in the hierarchy, are at the beginning. And here, the big idea comes in: if we reverse the IP address character by character, the two hierarchies become compatible. Now, as the DNS has tools for handling the hierarchy of domain names, we can use the same tools for the reverse name resolution!

So, how does it work out?

  • Define a special root domain for IP addresses. This is named "IN-ADDR.ARPA.". (Historically, it used to be directly related to the organization "ARPA", but now it is meant as "Address and Routing Parameter Area".)
  • Within this domain, an IP will be represented by a name having all its digits inverted, e.g., "" will be ""
  • In the zone file, we need a special RR for these names, this is "PTR". So, a record in a reverse zone file would look like:
    235 IN PTR foo.example.com
    assuming that this IP belongs to "foo.example.com". The formal syntax of this record is "name ttl class rr name". The first name is treated as a string, albeit it looks like a number; the $ORIGIN directive is in action here as well, unless we write an FQDN, like "". If the TTL is not defined, like in our example, the default is used — IN stands for the Internet, and PTR is the type of this RR.

With these conventions, the reverse resolution can be solved exactly in the same way as the forward resolution. As for the actual administration and hierarchy, the players are somewhat different than in the case of zone files.

3.2.3. Organizations maintaining the reverse zone files

At the root of the system of IP addresses is the Internet Assigned Numbers Authority (IANA); they maintain the root name servers for .IN-ADDR.ARPA. They delegate the smaller blocks to Regional Internet Registries (RIRs) that run the servers on their level (a kind of counterpart of the TLDs in the case of domain). There are currently five of them:

These then delegate smaller blocks to smaller organizations or persons; everyone with a specific netblock has to run the respective server.

So, all that we have said about recursive and iterative queries work in the same way as in the case of inverse mapping, using the above hierarchy of servers.

3.3. Zone maintenance

This is the set of operations which enable the different authoritative name servers to keep their zone files up to date. As the details are less important from the applications' point of view, we just provide a brief overview of the involved operations. We remark, however, that these are essential for the proper operation of the domain name system, especially from the performance and robustness point of view. The main operations are as follow:

  • AXFR
    Full ZoneTransfer is simply the polling of the whole zone file, typically from a master to a slave server. It is initiated by the slave. Such polling has to take place according to the timings defined in the SOA record, where all the relevant time parameters, such as timeout, are defined. It is important that the zone file does not get updated if the one to be polled does not have a bigger serial number than the currently available one. A con of AXFR is that a zone file can be huge; an incremental update is much more efficient in some cases.
  • IXFR
    Incremental Zone Transfer is an update of the zone file restricted to the changed records only. It was introduced in RFC 1995. It is done under the same conditions as AXFR, also initiated by the slave, but it requires much less data to move, so it is much more efficient both regarding the time required to carry it out, and bandwidth-wise.
    Also introduced in RFC 1995, this is an operation to the inverse direction as compared to the previous two: it is used to notify slaves that a change in the zone file might have occurred, so it is likely that they should poll it. This has significant benefits for the propagation time of zone file changes.

All these rather logical maintenance operations are based on zone files as literally files existing on certain servers and being interchanged amongst them. With the growth of the Internet, this also became a bottleneck. The files became huge and hard to administer. In addition, if any change appears, the server has to read the whole file again sequentially, causing a possibly unacceptable unavailability time. This leads to the need for dynamic DNS introduced in RFC 2136. This enables the update of zone records from external sources. However, it does not allow for adding or deleting a new zone. In addition, it raises additional security issues as there are more servers involved in the update. Hence, the same RFC defines the concept of a primary master name server which is just one of the master name servers but authorized to control the DDNS process.

Having understood the key DNS operations, let us see what types of name server occur in the DNS system.

4. Name Servers

In this section, we take a closer look at the servers themselves which run the DNS protocol. First, we will classify them based on their role in the system, then we will briefly describe some particular implementations.

4.1. Functionality

Even though we frequently speak about types of name servers, maybe using the term "role" instead of “type” would be more in order. Actually, the same physical server can be a master of a given zone and a slave in another, and may even serve as a caching server in the meantime, depending on the configuration of its software. And the commonly-used implementations allow for very byzantine settings as well. Nevertheless, it is important to distinguish between certain roles:

  • Master Name Servers
    These read the information directly from the zone files (edited locally). They give authoritative answers about the hosts in their zone, enable the slaves to poll zone files from them, send them NOTIFY if appropriate.
  • Secondary Name Servers
    They are the slaves. They poll their zone files from their master and provide authoritative answers to queries regarding their zone.
  • Caching Name Servers
    These do not have complete zone files. They have a cache built from the non-expired results of previous queries and can provide non-authoritative answers to queries they hold the answer for. They support recursive operation and communicate with slave or master servers when they receive a query whose result is not yet cached. If they forward an authoritative answer to the resolver, their answer is also considered as authoritative.

In addition, there are some other types not directly relevant from the point of view of the global DNS ecosystem:

  • Forwarding or proxy name servers
    These forward all queries to another name server, and cache all the obtained results. At first, this sounds pretty much like a caching name server, but it is not the case. These name servers will not process referrals at all, hence the communication between them and the resolver is restricted to one query-response pair in the case of each lookup request. They are mainly useful for saving network traffic.
  • Stealth name servers
    These are the ones serving a local network whose sites are not visible from the outside. So, the hosts, except for a few servers, are within a demilitarized zone (DMZ), they have internal IPs, and they see the Internet through a firewall gateway, typically with IP masquerading. Their specialty is that they are expected to answer the queries of the internal hosts, both regarding domains on the Internet and host names within the DMZ. Sometimes, they are also called DMZ, or split name servers.

4.2. Implementation

Perhaps, the most prevalent piece of DNS software is BIND, the Berkeley Internet Name Domain, which was originally developed at the University of California, Berkeley. It is a free, open-source, and reliable implementation running on most root servers, etc.

Alternatives do exist, though. Microsoft Windows servers, for instance, have their own DNS server implementation. And there are many others. Some are designed to act as a simple proxy, some are designed to be an authoritative-only server, etc. A good comparison of these implementations are here: https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software.

Importantly, as we have described, a standard zone file can be migrated from one implementation to another. But many of the servers (including BIND) accept non-standard features in the zone file, like using time units other than seconds. This should also be taken into account if zone files are analyzed with any other type of software.

5. A simple query example

But what do end-users see from all these? Well, not too much. In most cases, they type in a name, and they are not even familiar with the existence of an IP address.

However, as professionals, we can send a query to a server and obtain the accurate answer. The very reason for putting this short section here is that in order to really understand what is going on, we need to illustrate everything that we have discussed so far.

There is a variety of tools for this. We shall use the nslookup utility available on most platforms (even though the Linux and other UNIX-flavor communities tend to prefer the command dig instead).

So, let us give it a try: on my typical Ubuntu host, the command

nslookup www.example.com

will result in the not-so-detailed non-authoritative answer:

Server: answer:Name:www.example.comAddress:

Note that the answer was given by my local host. Indeed, most Linuxes tend to run a proxy name server locally. But what if I'm interested in the related SOA record, too? The "nslookup" has many options, including this one:

nslookup -type=soa www.example.com

and the answer will be:

Server: answer: Can't find www.example.com: No answerAuthoritative answers can be found from:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Well, in fact, it is not "www.example.com" but "example.com" that has an SOA record. So I could have said:

nslookup -type=soa example.com

resulting in:

Server: answer:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Or, if I want to have an authoritative answer directly, I can specify the name server host:

nslookup -type=soa example.com sns.dns.icann.orgServer:sns.dns.icann.orgAddress: = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Finally, let us demonstrate a reverse lookup:


resulting in:

Server: answer: = whoisxmlapi.com.

Of course, what we have seen here is just a small portion of the supported possibilities, and we encourage our readers to play around with them. All the types of RRs are available through these queries, even those which we have not yet discussed, e.g., the ones defined in support of security.

6. Security

In this section, we will address two points. First, we will provide an overview of potential threats against the DNS system itself and the possibilities of its protection. Then, we will discuss the role of the DNS in overall IT.

6.1. Internal security of the DNS system

The DNS protocol, by its original design, is based on unencrypted network communications. Hence, it is prone to various security threats. These even include the modification of delegation details. We go through these along with the possible means of protection.

  • Zone file corruptions
    A corrupt zone file, regardless of whether it got corrupted accidentally by some mistake made by authorized personnel or by a malicious intruder to the system, can obviously cause a lot of problems: lack of proper updates, invalid name resolutions, or even the malfunction of a master server. This is a local issue, and it can be overcome by proper system administration and ensuring the overall server security.
  • Zone file transfers
    They are vulnerable against various types of attacks. For instance, a malicious agent can intercept AFXR or IFXR communications and inject distorted information into the system, e.g., by IP address spoofing, thereby poisoning slave name servers. One way to overcome this is to disable zone transfers. But obviously, it is not always possible. Another option is the protection of the network architecture itself. Finally, the communication can be authenticated and encrypted. RFC 2845 describes the Transaction SIGnature (TSIG) protocol to facilitate an authentication step of the zone file update process. It uses shared secret keys and one-way hashing to ensure the security of the authentication. A special RR type, TKEY is used in various modes to facilitate the establishment of the shared key.
  • Dynamic updates
    The same can be said here as in the case of conventional zone file updates: address spoofing or unauthorized updates can introduce invalid data into the system. Besides TSIG, there is another related protocol, SIG(0), for request and transaction authentication based on public-key cryptography, c.f. RFC 2931.
  • Attacks against remote queries
    Subverted masters or slaves, as well as poisoning caches, are all possible attacks against Server-Client communications. A good solution is the use of DNSSEC (Domain Name System Security Extensions), designed for authenticating these communications securely, albeit lacking encryption of the actual communication. This obviously also requires a variety of additional RRs. It is not yet prevalent, but there are a lot of pilot projects and zones where it has been introduced. Additional information can be obtained from https://www.dnssec.net/projects.
  • Attacks against resolver queries
    These are similar to those mentioned in the previous item, affecting communication between remote and local clients. Besides, the use of DNSSEC, the usual SSL/TLS encryption of the communication is a good way of protection.

6.2. DNS in IT security

The connection of domain names with IP numbers is of paramount importance in IT security. For instance, many spam mail filtering methods are based on the verification of the validity and appropriateness of the DNS data of the sender. Firewall logs contain primarily IP addresses, hence, when investigating threats, it is important to see if it is possible to validly assign domain names to these. And if there are some data, they can reveal a lot of information about the opponent. Many other applications can be listed; considering that naming resources is an inherent feature of any electronic network communication, and it is naturally related to the identity - real or virtual - of the communicating entities.

7. Passive DNS

DNS has one significant shortcoming, especially when viewed from the IT security point of view. While it always contains timely information about domains and IPs, it is just a snapshot which does not allow obtaining DNS information of past time instants within this system. Of course, it is quite natural that even if the snapshot embodies a tremendous amount of data, it is virtually impossible to maintain the whole history. And yet, it would be of paramount importance.

7.1. Reasons why we need passive DNS

Imagine, for instance, that you find an IP address upon the investigation of some threat, but the IP address has ceased to exist. It is likely that at the time of the attack, it did resolve correctly, but then it has disappeared. At least, a chance to find a past resolution of the IP or domain would be a fundamental clue. And even if an IP address that has been marked as malicious does not resolve anymore, the data from the past could still provide a key for the identification of its domain, thereby preventing the malicious activity of the opponent. So, the past data has implications for the present and future security issues, too.

In another example, to detect the success of the aforementioned threats of the DNS system itself, it would be handy to have resolution data of the past. Its analysis could reveal the changes then.

These data can be used in more sophisticated ways in threat intelligence, involving a variety of big data and even machine learning tools, e.g., in order to reveal an algorithm generating short-lived domains registered by a suspicious agent.

7.2. The solution: Passive DNS

Passive DNS, which is otherwise not part of the DNS protocol, provides the very data the applications in the previous section cry for. The original idea was introduced around 2004: to use recursive name servers to log responses received from various name servers, and save the collected data, augmented with timestamps, in a compressed form, to a central database. Note that in this approach, no stub resolver to name server communication goes on; it is based on server-server communication. This saves a lot of network traffic and excludes vulnerabilities related to the avoided kind of protocols. In addition, it does not pose any privacy issues: you will not collect data on who and why a person tried to resolve an IP or a domain.

There are several passive DNS services on the market. The servers collecting the data are termed as DNS sensors, and they provide data for a central, usually very big database. Different services may have different strategies to select the communications to be logged from among the whole DNS traffic. Passive DNS has become a fundamental tool in IT security.

7.2.1 Passive DNS Applications

Passive DNS is an enabler, as it allows existing threat solutions to better perform their important roles. At the same time, it is a facilitator, as it helps produce actionable information that cybersecurity teams can use to be one step ahead of malicious actors.

These functions are made possible through a huge passive DNS database, the analysis of which can reveal the suspicious movements of past domain data which can be leveraged for threat intelligence purposes. Passive DNS data can also be correlated with other information or integrated into APIs for swift analysis.

Below are the relevant use cases of Passive DNS, and why they are crucial to cybersecurity maintenance:

Application How passive DNS can help
Locating domains connected to known malicious addresses
  • Maps all domains connected to a known malicious IP address enabling further detection.
  • Helps identify which of the domains are infected with malware and which ones are benefiting from it.
Identifying malicious infrastructure and suspicious activities
  • Helps detect when trojans have infiltrated a system and are trying to let malicious users gain access to it.
  • Helps locate and dismantle domain infrastructure that supports phishing attacks.
  • Helps detect and reduce covert communications from an organization’s infrastructure.
Fraud and domain name infringement detection
  • Helps identify if any fraudulent changes are made in the DNS system.
  • Allows pinpointing newly-registered domains since these are often used for fraud.
  • Enables mitigating the risks of shadow domain, typosquatting, or other attacks where malicious actors create websites with deliberately similar addresses to those of reputable organizations.
Getting actionable insights on the attacks and their mitigation
  • Passive DNS data combined with other data helps provide insights into what known bad actors are planning to do.
  • Helps mitigate phishing attacks, especially when the data is integrated with operational enterprise solutions.
  • Enables near real-time detection of fraudulent alterations to the DNS system such as cache poisoning attacks.

8. Summary and further reading

The present document aims to give a quick introduction to the Domain Name System, a crucial ingredient for the operation of the Internet. We have briefly reviewed its concepts, system architecture and implementation, goals and means to reach them, and, notably, its security issues and role in IT security.

This information is sufficient for a newcomer to have a basic understanding of the topic. But, of course, there are many additional details not described here. In this regard, we refer to the extensive literature on the subject.

There is a tremendous number of books and other documents available about the topic. To name a few, “Pro DNS and BIND” by Ron Aitchison provides a detailed, self-contained, and practical introduction to the topic. It is also worth mentioning Cricket Liu's classic works, such as “The DNS and BIND” cookbook. As for DNS security, “DNS Security: Defending the Domain Name System” by Allan Liska and Geoffrey Stowe is a comprehensive source.

As for passive DNS, there are many good reads, too. The original idea of passive DNS is due to Florian Weimer, who has a very informative page on this: http://www.enyo.de/fw/software/dnslogger/ Though relatively old, his original paper is still one of the best introduction to the idea of passive DNS, its functionality and applications.

Finally, we remark that WhoisXML API, Inc., offers various API and database products related to the DNS system. A DNS lookup API provides a simple and convenient way to perform DNS lookups. The Reverse IP/DNS API provides comprehensive DNS information on an IP address, including its past. The Reverse MX API reveals all domains that use the same name server, whereas the Reverse NS API finds all domains with the same name server. These APIs provide a handy way of obtaining useful information which is not very easily found in the Domain Name System otherwise. The services are based on current and historic databases, which are also available for download.

Download the full article in PDF


WHOIS Databases: Business, Cybersecurity, and Many More Applications Explored https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored

The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.


The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.

Table of contents

A Brief Intro to WHOIS

With countless new domains registered on a daily basis, it’s difficult to stay informed about who owns the web. However, with WHOIS and WHOIS databases, this is possible. Let’s take a look at these as a starting point.

What is WHOIS?

In a nutshell, WHOIS is a suitable way to collect and verify data about individuals and organizations with an online presence. A WHOIS record is automatically created as part of each domain registration, and it includes identifiable information such as the domain owners’ names, contact details, and physical addresses alongside important dates regarding the creation, expiration, and transfer of domains.

What is a WHOIS database?

WHOIS databases are structured sets of WHOIS data that enable the reviewing of thousands or more domains simultaneously. In fact, raw WHOIS data, with each record being separate, is of little interest to large-scale users like, for example, cybersecurity and marketing departments seeking to check multiple online entities at once.

WHOIS databases are built by third-party providers, like WhoisXML API, and their utility can be evaluated according to their breadth — i.e. the number of TLDs and ccTLDs included — and accuracy — i.e. whether they are maintained and updated regularly with the latest domain information.

Cyber Security: A Safer Internet

Cybercrime activities have reached unprecedented levels. The 2018 Data Breach Investigation Report from Verizon accounted for 53,308 security incidents during the year, 2,216 of which resulted in data breaches.

Organizations and the public alike are at risk. For example, Under Armour, a sportswear manufacturer, claims nearly 150 million of its MyFitnessPal accounts to have been compromised due to hacking, while the hotel chain giant Marriott has had data from 500 million of its guests stolen as a result of a cyber attack.

Individuals are also a target of malicious emails with the average user receiving 16 shady emails on a monthly basis.

How do WHOIS databases help improve cybersecurity?

Cybersecurity teams have their hands full counteracting hackers and scammers whose nefarious skills and familiarity with modern systems make such efforts increasingly difficult.

So what’s the way forward? Comprehensive countermeasures must be put in place — combining traditional and unconventional techniques. Besides strengthening anti-virus and firewall capacities, cybersecurity personnel can look into domains and their infrastructure to identify threats and come up with solutions.

With WHOIS databases, individuals and businesses have access to accurate data to fight different cyber threats.

Application How WHOIS databases help
Counteracting phishing Leveraging WHOIS information allows users to verify, check, and compare details of domains whose owners claim to be one entity but show up differently in the record.
Combating malware Users can use WHOIS records when they suspect that a website may have been created for malicious ends. Warning signs include recent registration dates and registrants in high-risk countries.
Scoping malicious activity Users can identify connected websites, IP addresses, and domains that could be linked to fraudulent activities by cross-referencing WHOIS data with other DNS details.
Proactive cybercrime prevention Once a malicious domain has been identified through its WHOIS records, that address and the ones connected to it can be blacklisted to protect visitors from the same or similar attacks.

Threat Intelligence: The Hunt Is On

As threats continue to rise, organizations are recognizing that investing in prevention is better than mitigating the consequences of costly data breaches. Threat hunting, or actively searching networks to identify and eliminate threats, alongside threat intelligence, gathering evidence-based data to make informed decisions, has therefore gained momentum.

How does WHOIS support threat intelligence and hunting efforts?

What are the weak links in a given corporate network? Which corresponding tools should be adopted? As an SMB or a large organization, where would security budgets be best allocated? Affordable access to WHOIS databases could provide insights for threat hunting efforts and bolster existing threat intelligence platforms.

Application How WHOIS databases help
Proactively looking for threats Real-time domain WHOIS data allows users to cross-examine registration details with sources of cyber data to identify threats.
Examining newly-registered domains Automated notifications about new domains using WHOIS databases permit implementing proactive measures, such as the blocking of dubious websites.
Powering threat intelligence platforms Users can feed WHOIS data into their threat intelligence platforms to get a closer look at the infrastructure of certain hosts.

Domain Registration: A Busy Marketplace

The Internet landscape is growing by more than 7 million domain registrations each year. This surge has made the Web a crowded place and an exciting market for domainers.

Why do WHOIS databases matter to domainers?

Domainers are hard-pressed to anticipate market trends and put their hands on the right names before anyone else does. However, there are other aspects to bear in mind like ensuring domains they purchase have been lawfully used. WHOIS databases allow staying on top efficiently.

Application How WHOIS databases help
Secure and fast purchases Domainers can perform the necessary background checks on domain name availability while also getting updates on newly-registered or recently-expired domains that are available for purchase again.
Valuation and safe ownership transfer Domainers can access the full history of a domain’s transactions including the date it was created, when it is due to expire, to whom it belonged, for how long, and through which registrar.

Brand Protection: Uncompromised Intellectual Property

What’s the value of intellectual property? Well, 3,000 trademark infringement lawsuits are filed in the US every year, and to reinforce this statistic, 3,074 WIPO cases were filed by trademark owners in 2017 through the Uniform Domain Name Dispute Resolution Policy (UDRP).

How can WHOIS support infringement detection?

Disputes on domains and trademark infringement are generally costly, especially when reliable domain information is not available. Not only do they take a lot of effort to go through, but they can also result in damaged reputations arising from bad publicity and lead to lost sales and revenues.

So how can IP management teams keep company assets protected from cases involving brand violations? Here again, WHOIS databases can prove their efficacy.

Application How WHOIS databases help
Monitoring competitor moves The WHOIS protocol lets brand managers anticipate what their competition is planning through the analysis of newly registered domain names and potential launches of new products.
Preventing infringement Users can monitor domains that have similarities to their brand – perhaps to cause confusion or damage reputation – and use WHOIS contact details to start remediating the situation.
Protection from brand abuse Users can receive messages of registration attempts that contain company trademarks or similar keywords for which they own usage rights.

Marketing Research with Facts

Market researchers have been on their toes as budgets go down to maximize return on marketing investments. Indeed, Procter & Gamble saved $750 million in 2018 by reducing advertising expenditures and cutting agency costs by 50%. So where can facts be gathered to support the business rationale of upcoming campaigns?

How can WHOIS data be used for marketing activities?

Traditional research techniques are not as effective as they used to be in a digital-driven world, and they do not allow identifying trends and remain a step ahead of their competition. WHOIS databases, on the other hand, can contribute to in-depth data analysis and fuel marketing initiatives at several levels.

Application How WHOIS databases help
Recognizing new opportunities WHOIS records add to and improve the accuracy of existing business contact database, allowing companies to engage purchasers and sellers.
Having relevant information on domains Marketing departments are able to detect available neighboring domains to expand their product lines or rebrand themselves.
Staying on top of competitors and industry trends Marketers can stay updated on the movement of domain registrations, acquisitions, and other such activities to monitor and foresee upcoming trends that may affect their competitive position.

Registrars in the Know

There are almost 3,000 accredited domain registration companies present in the registrar market. Stiff competition has called for service differentiation as well as cost reduction, and that requires clarity on where the industry is heading.

How does WHOIS add value to registrars?

Let’s say you operate in the registrar market. Would you like to know where you’re positioned in the industry? What’s your market share in a given country or for certain TLDs? Are there new entrants worth watching out for? To which service are your registrants migrating or from whom have you “stolen” customers?

These are some of the questions you can answer with WHOIS data integrated into databases and track everything that’s happening with domain names.

Application How WHOIS databases help
Streamlined access to data Registrars are able to set up WHOIS APIs connected to databases, saving time and avoiding the complexity of developing the backend themselves.
Reliable domain registration, management, and transfer Registrars can use the information provided in databases to execute daily activities — checking domain names availability, confirming domain histories, identifying dangerous domains, and facilitating transfers for domain owners.
Combating phishing Registrars can help law-enforcement agencies by providing them with in-depth knowledge of domains that are involved in cybercrime.

Law Enforcement Made Possible

The current cybercrime situation is quite rampant, and law enforcement agents are never out of work. Just recently a cybercrime ring that has been accused of trafficking stolen identities was taken down by US authorities. However, not all cybercriminals are easy to catch. Perpetrators are becoming more creative and slippery than ever to prosecute.

How can WHOIS data contribute to law enforcement?

Law enforcement agents need as many insights as possible to track down lawbreakers. Having complete access to domain information can turn particularly valuable to conduct effective investigations and study and anticipate cybercriminals’ behaviors.

Application How WHOIS databases help
Getting investigative leads Agents can investigate, trace, and analyze leads to possible malware authors and fraudulent website owners who may be part of a larger group of hackers and offenders.
Gathering information to prepare cases Domain data can become part of threat data collection processes aimed to protect the public, build legal cases, as well as seize and take down suspicious domains following a trial.
Assistance during investigations Domain ownership data can be obtained immediately through WHOIS records to support investigations, locate site owners and their service providers, as well as to support communication with courts and governmental authorities.

Fraud Detection in the Loop

Fraud levels have risen from 1.58% to 1.80% in 2018, while losses due to online payment scams are expected to reach $48 billion by 2023. That’s the dark side of business increasingly being conducted online, and it’s eroding customer trust.

What is the relevance of WHOIS databases for e-commerce businesses?

Online businesses need to effectively detect and prevent malicious activities — e.g., scammers seeking to get their hands on customers’ information. However, they don’t often have the time to monitor and analyze unlawful attempts one by one. Individuals, in parallel, may think twice before disclosing their details on a new website and completing a purchase.

Being able to perform queries at scale via a trusted WHOIS database or API easily is an effective way to intercept and combat fraudulent behaviors.

Application How WHOIS databases help
Fraud prevention Users with WHOIS protocol access can investigate a website’s validity and credibility before giving up their credit card or other online payment information.
Fraud identification Being able to flag users labeled with risky email IDs and websites could help identify malicious intents.
Fraud investigation Cross-checking information in WHOIS databases enables people to investigate suspected illicit money transfers or invoices for possible scams.

Dependability for the Financial Sector

Without a doubt, cybercriminals and fraudsters are after money — and the people who hold it. For that reason, financial stakeholders are the common target of social engineering attacks where business proposals often sound too good to be true.

What are the applications of WHOIS for banks and financial institutions?

Financial organizations must show due diligence before they proceed with large transactions — e.g., payments for services and new projects, acquisition of a new technology or innovative company, etc. What’s more, deciding whether or not to commit funds to a new business is hard for venture capitalists, private equity firms, and banks.

In these and other circumstances, dependable WHOIS information is essential to make the right moves and avoid lemon investments.

Application How WHOIS databases help
Recognizing new opportunities Investors can analyze domain information from WHOIS databases and learn more about the veracity of claims made during funding decision processes.
Better understanding the business backstage Recent changes in WHOIS data and domain owner information reveal a lot about the state of possible mergers and acquisitions, investments, spinoffs, and business liquidations.
Enhancing business intelligence Investors and banks can use domain registration data to improve their business intelligence efforts. WHOIS data can provide information on the structure and dynamics of companies using data mining techniques.

Scoops in the Data

With the World Wide Web reaching more than 1.8 billion websites and the emergence of fake news, sorting and verifying information is now harder than ever. How can media specialists differentiate themselves? Is the drop in the quality of online news inevitable?

Why is WHOIS data helpful to journalists?

Journalists need to keep up by performing a deeper analysis of content that matters while disregarding irrelevant sources. In that process, WHOIS databases can serve as an investigative tool to process large amounts of data about multiple online entities and uncover scoops.

Application How WHOIS databases help
Monitoring for new stories WHOIS database can be used to keep track of target registrants and their activities such as product launches, service developments, and new ventures.
Verifying information Journalists can make sure that their facts are right by looking up WHOIS data and, if they are in doubt, contact the entities of heir interest.
Getting the data that matters Bulk WHOIS functionality allows users to obtain and filter data in batches using custom attributes and obtain the desired results for groups of domains immediately.

There are plenty of uses for domain ownership data in today’s business world. It can be applied to fortify an organization’s cybersecurity, enhance marketing strategies, collaborate with law enforcement, enhance brand protection, and much more.

Are you interested in experiencing how WHOIS databases can benefit you as an individual or organization? Send us your questions at general@whoisxmlapi.com.

Download the full article in PDF


Fight against phishing e-mail with WHOIS: A technical blog based on the 2018 "Airbnb" case https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."


Table of contents

On phishing scams

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."

Hundreds of millions of phishing e-mails are sent on the Internet every day, leading to billions of dollars stolen annually, not to mention the overtaken accounts and sensitive data obtained this way. The importance of the fight against e-mail phishing cannot thus be overemphasized.

In what follows, we present an example of such a fraudulent activity which attracted a lot of attention in the media recently and whose victim virtually anyone could fall to. Through this particular example, we illustrate the use of WHOIS data in revealing this kind of malicious activity. Whois data can be an important piece of intelligence in any anti-phishing security software/solution.

The Airbnb story

Airbnb, the popular online marketplace for arranging and offering lodgings has been prone to phishing activity for several years. As an online marketplace which assists in organizing payments, it is very attractive to malicious actors who would prefer the money transfers to ultimately end up in their temporary bank accounts.

The recipe in this scheme is simple: deceptive means convince a prospective victim that his credit or debit card data have to be sent in a reply e-mail or typed in on a short-lived, yet seemingly convincing website. Alternatively, these data can be stolen from the client's account along with other sensitive information, after a persuasive email kindly asks them to send the account name along with the password in a reply, claiming it to be necessary for whatever reason.

The active enforcement of the General Data Protection Regulation (GDPR) started across Europe on May 25, 2018. In a matter of days after this data protection legislation took effect, Airbnb saw a significant burst of phishing e-mails. Paradoxically, even though the main intention with the new regulation was that "Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field." (source: this link, 2018.11.06.), its introduction has led to numerous foreseen and unforeseen consequences, some of which, in fact, seem to be introducing significant IT security risks. One of the short-term impacts of the new rules was that all the companies handling data of EU citizens in any form had to contact their clients to confirm certain new agreements.

As a consequence, e-mails with reference to the new GDPR started flooding all EU citizens (with rules that many of the latter do not even clearly understand). Because most of those e-mails urged for some activity or reply, this confusion-filled scenario became a genuine paradise for phishing schemes.

The malicious scam is simple: send e-mails to all addresses in your spam database on behalf of Airbnb and refer to the new GDPR as the reason why they need to share their sensitive data. There will be enough gullible Airbnb clients on the list who will fall for the trick.

And it happened. It is enough to look at the headlines:

  • "Airbnb Customers Targeted with Phishing Scam" (Infosecurity Magazine, 4 May 2018)
  • "Redscan warns of GDPR phishing scams," (Computer Weekly, 3 May 2018)
  • "Phishing campaign aimed at Airbnb guests uses GDPR hook" (scmagazine.com, 4 May 2018.)
  • "Gardaí warn of possible rise in email scams related to new data law" (The Irish Times, 28 May, 2018.)
  • "GDPR isn't to blame for all those dumb emails you're getting" (Wired, 11 May 2018.)

etc., just to quote some of the news in English.

Let us now look at this incident from the point of view of WHOIS data.

A WHOIS-based investigation of the Airbnb campaign

There are two general ways for anti-phishing software/human to determine if an email is malicious:

  • Without scanning the full email, as that could possibly take lots of time. For this, external data sources can be used: WHOIS, NSL, proximity of the domain to a known malicious actor/domain/IP, etc.
  • By scanning the email: the contents of the email may be helpful if the link directs to a completely different domain or another malicious domain, etc.

In what follows we demonstrate the kind of information we can get, solely from WHOIS data that can be downloaded from the data feeds of WhoisXML API, supplemented by the possible use of some APIs.

About the approach

In our little investigation looking to demonstrate the footprint of phishing attacks against Airbnb in the WHOIS ecosystem, we shall use simple Linux/BASH command-line tools on our csv files downloaded from WhoisXML API, Inc. The same is trivially doable on Mac OS X as well. For Windows 10 users who want to try it out, we recommend installing Bash on Ubuntu on Windows (see our blog on how to install it: http://www.fengnu.net.cn/blog/using-bash-andother-linux-tools-on-windows-10-for-processing-whois-data) Users of earlier server versions of Windows can also work with Microsoft Services for UNIX.

However, all of this is doable with your favorite tools such as Windows PowerShell, or Python, etc., too.

Single WHOIS records

Our starting point will be an example described in a related article found under this link. "While the phishing messages might look legitimate at first glance, it's worth noting that they don't use the right domain - the fake messages come from '@mail.airbnb.work' as opposed to '@airbnb.com'." The mail in the example dates back to 18 April 2018, about a month before the enforcement of the new GDPR.

Let us now check the "work" top-level domain. Looking at the WHOIS data of the domain "airbnb.work". This task is doable even with a simple WHOIS lookup or entering this search term to the "Whois lookup" field on http://www.fengnu.net.cn. By doing so we obtain information on who the domain belongs to. Is this a suspicious domain according to these WHOIS data?

First of all, phishing e-mails frequently come from domains which were registered recently and abandoned shortly afterwards. As for the relevant dates, we have:

  • Updated Date: 2018-03-22T15:47:34Z
  • Creation Date: 2015-04-07T06:47:17Z
  • Registry Expiry Date: 2019-04-07T06:47:17Z

This does not look like a very short-lived domain. However, looking at the other lines of the WHOIS record, as for the registrant, we can probably repeat all the data without the risk of privacy violation:

Domain's registrant

  • Organization: REDACTED FOR PRIVACY
  • State: Tokyo
  • Country: JAPAN
  • Country code: JP

We remark here that regarding the "Technical contact", "Billing contact", and "Administrative contact" data, all the fields are "REDACTED FOR PRIVACY". Of course, due to the "stronger rules" of the new GDPR, WHOIS records are nowadays less and less informative: much of the registrants’ data are hidden for certain privacy reasons. However, if we look at the WHOIS record of the real "airbnb.com", although there aren't as many pieces of information there which traditional WHOIS used to provide, we will still learn the following:

  • Registrant Organization: Airbnb, Inc.
  • Registrant State/Province: CA
  • Registrant Country: US

We do indeed learn to whom the domain belongs. And honestly, is there any good reason to hide the "Registrant Organization" for privacy reasons?

Here all we know about the registrant is the country: Japan. The registrar in question is in fact a known web hosting and service provider, also based in Japan, with many clients, so this part seems legitimate. It is weird though that "Tokyo" is mentioned in the "State" field, whereas the "City" is "REDACTED FOR PRIVACY". Japan does not divide into ‘states’, and Tokyo is certainly not one. In fact, the "State" field is invalid, but let’s suppose it is just an error. But then what are the benefits of a real Aibnb-related enterprise doing business correspondence from Japan, from a top-level domain ".work" which does not even reflect any Japanese character? It is hard to see any good reason.

Hence, there are multiple red flags in the WHOIS record of "airbnb.work" suggesting that any correspondence coming from here or containing an URL from here in the mail body should be treated with care and at least be subjected to further investigations. (Note, however, that we do not state with certainty that "airbnb.work" is a malicious domain. We only remark that its registrant cannot be identified at all from its current WHOIS data, and its registrar and registrant are from a country not directly related to Airbnb. And although it is claimed to be in use for malicious purposes in an incident described on a discovered public web page, someone could well have misused an otherwise honest domain. We leave the estimation of the likelihood of all these to the reader.)

So far our investigation was based on a single WHOIS lookup at the time when the e-mail is investigated. When doing this with a lot of e-mails, one will require many WHOIS lookups. So when using the WHOIS protocol itself, most servers will soon refuse to serve us as they have their limitations. This problem can be overcome by using a proper Web-based API, such as https://whoisapi.whoisxmlapi.com, which will provide an accurate and up-to-date answer in JSON or XML and can be simply used from a script, e.g. with "curl".

Even simpler, the sender address "important@mail.airbnb.work" can be checked with our e-mail verification API. For the sake of completeness we show how this can be invoked from a shell, using, e.g. "curl":

curl --get --include \"https://emailverification.whoisxmlapi.com/api/v1?apiKey=XXX&emailAddress=important@mail.airbnb.work"

Here you will need an API key provided with your API subscription; please replace "XXX" with your key. (A free subscription is available, so you can try what we are doing here.) This will result in the following JSON:

{ "audit":{ "auditCreatedDate":"2018-11-06 14:20:38.000 UTC", "auditUpdatedDate":"2018-11-06 14:20:38.000 UTC" }, "catchAllCheck":"null", "disposableCheck":"false", "dnsCheck":"Invalid hostname", "emailAddress":"important@mail.airbnb.work", "formatCheck":"true", "freeCheck":"false", "smtpCheck":"null"}

So if the mail were to be received right now, the problem would probably not be entirely at the WHOIS level, although the DNS lookup would immediately reveal that there is something wrong with it.

Let us therefore take a quick look at the DNS data of "airbnb.work". This can be easily done either with the command-line utility "dig", or with another API at whoisxmlapi.com, namely, the DNS API. On this page, there is a simple interactive entry for DNS lookup (or one may subscribe to do it from a program or with "curl"). But entering "airbnb.work" will merely give us an error message:

"Unable to retrieve DNS record for airbnb.work". Although the domain exists, it does not have a valid DNS record. This is another fact that makes the domain suspicious. A possible continuation of our investigation to the DNS direction would be the use of "passive DNS", a very important approach in forensic analysis, but we are not going into detail now, as we aim to demonstrate how far we can get with WHOIS. We’ll remark though that by using passive DNS one can find that this domain, while registered on 2015-04-07, was never seen before 2018-05-03. This is yet another red flag: it appears that it was a Newly Observed Domain (NOD) at the time of the flood of GDPR-related emails.

What if an incident has to be investigated not shortly after it happened but later on? WhoisXML API, Inc. offers downloadable WHOIS datasets, including historic ones, too. Using these data could have various benefits. One can build a local WHOIS database and keep it up-to-date so that the filtering does not rely on an external API call. Also, such a database could provide historic data. As we shall see, even without setting up a database, one can download data and find relevant information by just analyzing the files with simple tools.

An investigation based on bulk WHOIS data

We will now search for short-lived domains by using data from WhoisXML API downloadable feeds. Motivated by the previous example, we will choose a set of top-level domains whose names suggest that they may contain short-lived domains related to Airbnb. We are considering the following ones:

apartments, book, booking, business, global, hotels, international, reise, reisen, rent, rentals, trade, travel, travelers, vacations, work.

All of these are the so-called "new top level domains" in the ICANN terminology. The best approach would be to download these data for all domains, including country-code top-level domains (ccTLDs), but since this is just a quick experiment, we’ve made this subjective filtering.

Finding short-lived domains

Here we shall implement simple tools to present a proof-of-principle demonstration of how to find short-lived domains typically used in phishing attacks. Such an investigation is possible even years after the actual incident.

Downloading data

We shall use some daily data feeds, which are documented here in detail. In particular, first we shall need data from the following feeds:

  • ngtlds_domain_names_new : domains registered on a given day
  • ngtlds_domain_names_dropped : domains deleted on a given day

By examining the emergence and disappearance of domain names containing the string "airbnb", we shall be able to identify short-lived domains. We shall investigate the period from 2017-01-01 to 2018-10-30. We need the data in "CSV" format, which in this case will be just a text file with a domain name in each of its lines.

To efficiently download data we shall use a specialized download script available in the GitHub repository, in its "whoisxmlapi_download_whois_data" subdirectory. It requires series 2 Python and some modules to be installed; we shall refer to its documentation for details. Having set up this program, we change into its directory and do

./download_whois_data.py --feed ngtlds_domain_names_new \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the data of new domains each day, and

./download_whois_data.py --feed ngtlds_domain_names_dropped \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the dropped ones. (In the above command lines, please replace "MYUSERNAME" and "MYPASSWORD" with the credentials you have obtained with your subscription, and "/path_to/ downloaded_ngtlds_data" to the directory in which you want to work with the data.) Actually, those who prefer GUI mode can start this program without any command line argument, a sequence of dialog windows will then guide the user through the download process.

The result will be the following directory structure within the target directory we have specified as –output -dir: there will be two subdirectories named after the feeds, i. e., "ngtlds_domain_names_new" and "ngltds_domain_names_dropped". Within each subdirectory there will be a subdirectory named after the domain; consider "work" as an example. Within the domain's subdirectory, each date will have a subdirectory, and a CSV file and its md5 sum will be there if any domains were changed or dropped that day. Thus, the relevant files will have the path e.g.


for the added and dropped domains respectively.

Analyzing data

Let us consider all domains as short-lived which were added and also dropped in the examined period, i.e., between 2017-01-01 and 2018-10-30. Thus we are looking for all the domains which are there in both the "dropped" and "added" lists for a given TLD on some day. This can be found out using the following BASH code:

for tld in apartments book booking business global hotels international reise reisen rent rentals trade travel travelers vacations workdo echo "In TLD ${tld}:" comm -12 <((for i in ngtlds_domain_names_new/$tld/*/*.csv;do grep airbnb $i;done)|sort) <((for i in ngtlds_domain_names_dropped/$tld/*/*.csv;do grep airbnb $i;done)|sort)Done

The following output is produced:

In TLD apartments: airbnbmanager airbnbmanagerIn TLD book:In TLD booking:In TLD business:In TLD global:In TLD hotels:In TLD international: airbnb-rooms19982 booking-on-airbnbIn TLD reise:In TLD reisen:In TLD rent:In TLD rentals: airbnb-book airbnb-booking suisse-airbnbIn TLD trade: airbnb-bookings airbnb-tenantIn TLD travel:In TLD travelers:In TLD vacations: airbnb-disneyworld airbnb-guestIn TLD work:

Note that not all the examined top-level domains contain short-lived domains (in the sense defined above). However, we have found some short-lived ones which could indeed be suspicious.

Let us now choose one of them, e.g. "airbnb-rooms19982.international", and take a closer look at it. First we find out when they were registered:

grep -H airbnb-rooms19982 ngtlds_domain_names_new/international/*/*.csv

resulting in


so the domain was registered on 2018-05-17. However, doing

grep -H airbnb-rooms19982 ngtlds_domain_names_dropped/international/*/*.csv

we have the output


meaning that it was dropped on 2018-06-15, about one month later. Well, it is at least suspicious...

Finally, let us see the detailed WHOIS data of the domain "airbnb-rooms19982.international". A standard WHOIS query will not find it, as the domain has ceased to exist. However, as it was registered on 2018-05-17, all we need to do is get the data from the "ngtlds_domain_names_whois_archive" daily feed, as at the time of investigating this case the registration happened more than 3 month ago.

(Were this not the case, we would use the feed "ngtlds_domain_names_whois".) So, returning to the downloader script's directory, we do the following:

./download_whois_data.py --feed ngtlds_domain_names_whois_archive \--output-dir /home/kmatyas/Asztal/Projects/WhoisApi/tmp/ngtlds_whois_data \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20180517 \--tlds international \--dataformat regular_csv

The result will be the file


in our data directory. Thus we can look for our domain:

zgrep airbnb-rooms19982 \ngtlds_domain_names_whois_archive/2018_05_17_international.csv.gz

resulting in the following output:

"airbnb-rooms19982.international","Tucows Domains Inc.","airbnbrooms19982.international@contactprivacy.com","whois.tucows.com","ns1.renewyourna me.net|ns2.renewyourname.net|","2016-05-12T01:59:59Z","2018-05-16T03:22:02Z","2019-05-12T01:59:59Z","2016-05-1200:00:00 UTC","2018-05-16 00:00:00 UTC","2019-05-1200:00:00 UTC","clientTransferProhibited","2018-05-17 07:00:00UTC","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","airbnbrooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","","","","","","","","","","","","","","","","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CA

Granted, there is a nicer way to present this result (e.g. you may unzip the csv file and open it with some spreadsheet application). However, there is no real need to do so: essentially all registrant data are obscured and this fact could be very easily found out in an automated way, too.

Hence, if one asks whether the domain used to be a malicious domain related to the phishing campaign against Airbnb, though we cannot state it with absolute certainty, it is extremely likely to have been so.

Lessons to learn

To conclude, WHOIS data are indeed very useful in the fight against e-mail phishing and similar malicious activities. Whois data and DNS data can be an important part of any anti-phishing security solution. What we have presented here was a hindsight investigation, but as the data in the daily feeds are always fresh and accurate, it is easy to turn this into an actual mail filtering procedure. A very significant limitation of the presented example is that we did not check the e-mail contents and we were considering the sender address. In most phishing e-mails there are web links in the e-mail body, and the header of the e-mail also contains technical information on servers whose registration details are of significant relevance. Nevertheless, what we did here gives a hint on how to perform such an analysis. We have used very simple generic tools to present feasible clues, but since CSV formats can be opened or imported with virtually any kind of software for data processing, there is a broad range of possible analyses based on the WHOIS data available in WhoisXML API's Whois database download subscription. Anti-phishing security solution vendors can embed whois database feed to enhance its capabilities.

Download the full article in PDF


What you should know about WHOIS and Security https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.


Table of contents

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.

WHOIS is important to organizations that seek to secure against threats across their digital landscape because aside inaccurate records, there are many potential threats. These include:

  • Spam
  • Malware
  • Botnet sources
  • Advanced Persistent Threats
  • Malicious traffic
  • Ransomware
  • Insider threats
  • State-sponsored threat actors

What is WHOIS?

WHOIS information, maintenance, and collection operations are dictated by regulations set forth by The Internet Corporation for Assigned Names and Numbers (ICANN). This Internet record listing identifies the owners and operators of a domain as well as indicating how to get in contact with them.

Collectively, this base of information provides integrity for domain registrations and a path for resolution for when issues might arise.

There are two channels of information in WHOIS information, known as thin and thick.

THIN: the first level of information that can be accessed. Registrar information, registration dates, and nameservers are found at this level.

THICK: Deeper ownership information includes names, addresses, and contact information for administrative, technical, and registrant parties (often the same as that of the registrant).

Look inside a WHOIS record

In any industry, standards have a way of updating and the forces behind WHOIS are just as susceptible to standard and implementation changes over time. For the most part however, these records are designed to include all contact and registration information for the parties that register a domain name, specific to the company, group and person in charge of various operational web elements.

Each WHOIS record should contain the following information:

  • The date of domain registration
  • The domain expiration date
  • Nameserver details
  • Name and contact information of the Registrant (domain owner)
  • The name and contact information of the organization or commercial entity that registered the domain name
  • Most recent update information

Uses for WHOIS information

WHOIS has a number of important uses which include:

  • Is a domain available?
  • Alert technical contacts to security and site issues
  • Disclose contact, address information behind a given site
  • Emergency/Outage contact information
  • Provide information for domain-related transactions
  • Uncover responsible parties behind intellectual property scenarios
  • Channel for security and incident response contacts
  • Overall historical and background information behind traffic and domain sources

WHOIS, from the field

Legitimate, fully populated and compliant records are exceedingly rare, especially when the volume of records collectively scale. This makes tracking down information a challenge. In addition to the millions of domains in existence, there are countless registrars with varying implemented and enforced registration standards. Servers that run the WHOIS service are also vast in numbers. Like many systems born from the early days of the internet, the WHOIS system wasn’t built to scale into the future. And if it can be inefficient, then it can be exploited.

Despite its imperfect nature, the WHOIS system and the information contained within are still critical to the industry as WHOIS reinforces the security and stability of the internet, largely as a channel for Internet Service Providers, network administrators, and security personnel to research and contact information that is domain-related. WHOIS also provides structure to the domain registration process as well as proving itself as a channel or investigative activities and law enforcement.

On a global scale, WHOIS information assists in campaigns against technology abuses, uncovering botnet networks, nefarious actors, suspicious traffic sources, intellectual property infringements and more with the ability to track information behind domain activities.

WHOIS issues

One big issue with the system is the maintenance and updating of data. The process is reliant on the original population of data that occurs when a domain is first registered. When things change, it is up to the registrant to change this information. As phone numbers, email information, addresses, and other information change, WHOIS data may become stale. The Internet Corporation for Assigned Names and Numbers, also known as ICANN, requests yearly routine updates of this information but it is not stringently enforced.

Another element is the existence of private domain registration. That is because WHOIS information is public and earlier on, in the days of domain registration, domain registrars offered privacy services, registering domains “by proxy” on their customer’s behalf.

The Future of WHOIS

Next Generation: Registration Data Access Protocol (RDAP)

All things must change, which is the way of technology and the internet. Seeking improvement in the integrity of domain records, the RDAP standard was developed as a successor to the WHOIS protocol and it is currently making its way through the adoption curve. The object was to create a standard for nimble, portable, and accurate data without the legacy issues of WHOIS. The emerging format features a standard, machine-readable JSON standard and a foundation build on RESTful web services. This systems is HTTP-compatible, so that error codes, user identification, authentication, and access control can be delivered through the universal HTTP web protocol.

RDAP-compliant records are registered through validated hosts and the features of RDAP services include:

  • Standardized queries and responses
  • Data object language capabilities that extend beyond English
  • Redirection capabilities that allow seamless referrals to other registries
  • Network address registrations for IPV4 and IPV6

RDAP specifications

  • RFC 7480 – HTTP Usage in the Registration Data Access Protocol (RDAP)
  • RFC 7481 – Security Services for the Registration Data Access Protocol (RDAP)
  • RFC 7482 – Registration Data Access Protocol (RDAP) Query Format
  • RFC 7483 – JSON Responses for the Registration Data Access Protocol (RDAP)


General Data Protection Regulation (GDPR) became effective in early 2018 and although there haven’t been a lot of significant fines or legal cases to emerge just yet, news stories indicate that a wave is coming. This sweeping reformation of privacy laws affects European Union countries as well as any company that might retain the private information of any European individual. These regulations dictate not only the protection of data, but the retention, collection, and distribution of personal information.

The WHOIS system is at odds with GDPR, because it is public, because it has specific information, and because it retains that information for extended periods of time. The fate of WHOIS in light of GDPR is unclear. In the aftermath of GDPR, some registrars have declined to comply with ICANN WHOIS information requirements, to avoid potential GDPR fines.

Security and WHOIS

The WHOIS system is a critical research and security component. Its information provides valuable background information that helps affirm proper network connectivity, domain source information, and contributes towards critical security and service continuity.

Cybersecurity professionals use WHOIS information to quickly assess and eliminate cyberthreats every day. To limit access to this information because of GDPR and other forthcoming privacy mandates would be to hamper this resource. Even with all of its flaws and a significant data accuracy challenge, WHOIS continues to prove to be a valuable forensic tool. Due to human nature and ease of registrations, researchers can quickly cross-compare domain registration information that can be associated with foreign nationals, cybercriminal groups, and other nefarious actors.

In some cases, researchers could correlate networks belonging to bad actors through inter-related domain registrations, common IP information, and other telling information that is gathered through the WHOIS system. Some of the largest organizations today rely heavily on domain registration data to add to their organizational security intelligence, to protect networks and applications, and secure data where it expected to be protected.

Email spam, malware, ransomware, virus distribution, insider threats, data leaks, advanced persistent threats, payloaded software, and many other types of threats can often be traced back to domain-sourced certificates and registrations. Therefore, protecting information proactively by using public information is the ultimate value of WHOIS to a security-minded organization.

The future of WHOIS information and security lies in maintaining an active, open environment and open database via which intelligence can be freely gathered and referenced. Every day, thousands of incidents can be and are protected by proactive investigative discoveries through this valuable system.

Download the full article in PDF


Open WHOIS advocates push for U.S. legislation to counter GDPR https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr

The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.


The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.

So far, cybersecurity professionals and law enforcement have been able to access the public information of the European Union (EU) citizens unfettered. They have been using the registry to investigate and blacklist cybercriminal operations. Occasionally, this information helps government authorities with their investigations leading to arrests. There are investigations that used WHOIS information among other sources that resulted in charges against money launderers, hackers, and child pornographers, for instance.

WHOIS collects personal contact information from domain registration companies. The Internet Corporation for Assigned Names and Numbers (ICANN) controls the WHOIS database. ICANN is facing an existential threat from EU’s General Data Protection Regulation (GDPR) because its business model depends on the collection and publication of identifying information. The data sets include contact information of EU-based hackers known to have established malicious sites...

This white paper highlights

  • Why Does GDPR Exist?
  • What are the Pros and Cons?
  • What WHOIS Data Does GDPR Affect?
  • Hackers Shun the Public Record
  • How to Catch the Bad Guys
  • Anonymity Rules
  • Opportunities Await

Download the full article in PDF


Cyber Security Investigation and Analysis https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.


The New Crime of the Digital Age

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.

Lloyd’s Insurance estimates businesses’ global losses from cybercrimes in 2015 were $400B, while some vendors believe losses totaled $500B. Only estimates are available, because manyπ thefts go unreported as security breaches can damage an organization’s reputation.

Unfortunately, there is no end in sight. Losses roughly quadrupled from 2013 to 2015 and Juniper Research recently forecasted that in 2019 global losses will reach a staggering 2.1 trillion dollars.

In addition to the enormous financial losses, these online crimes have also ruined reputations of companies and rendered victims vulnerable, as the perpetrators now have access to critical data that may be used againstthem.

With advances in digital technology, online criminals have grown even more aggressive and creative in their ways, despite efforts to strengthen and tighten online security. The rackdown on these online crimes remains a constant challenge for many law enforcement agencies and private IT security professionals...

This white paper highlights

  • The New Crime of the Digital Age
  • Types of Cybercrimes
  • The Security Strategy
  • Cracking cybercrimes
  • The Whois API Solution
  • Hosted Whois Webservice
  • Whois Database Download
  • Reverse Whois
  • Taking the Next Steps

Download the full article in PDF


GDPR’s Chilling Effect on Cybersecurity https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity

The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.


The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.

What Is GDPR?

The EU’s GDPR mandate requires its National Data Protection Authorities ("DPAs") to enforce how organizations handle the personal data of the EU citizens. The law came into force on May 25, 2018. Companies and institutions incorporated in the EU countries will be responsible for the proper protection of personal data they collect and maintain. Most of the companies will also have to modify the ways in which they relate with customers in terms of the data, and what they should do in the event of a data breach...

This white paper highlights

  • What Is GDPR?
  • GDPR Throws Cybersecurity into Disarray
  • If ICAAN, Hackers Can Too
  • GDPR Carries A Big Stick
  • WHOIS May Become a Dispensable Tool for Infosec
  • ICANN Explores Alternatives
  • Planning for a Future without WHOIS

Download the full article in PDF